In early 2025, cybersecurity researchers identified a sophisticated malware campaign orchestrated by the Russian threat actor known as COLDRIVER, also referred to as Star Blizzard or Callisto. This campaign introduced a new malware strain named LOSTKEYS, which has been actively targeting diplomatic institutions, defense contractors, and critical infrastructure organizations across Europe and North America.
Overview of COLDRIVER’s Activities
COLDRIVER has a history of engaging in cyber espionage activities that align with Russian strategic interests. The group is known for targeting high-profile individuals and organizations, including NATO affiliates, non-governmental organizations (NGOs), and journalists. Their operations have previously involved credential phishing campaigns aimed at intelligence gathering. Notably, in 2022, COLDRIVER was linked to breaches at three U.S. nuclear research laboratories and the leak of emails from former British intelligence chief Richard Dearlove.
Introduction of LOSTKEYS Malware
The emergence of LOSTKEYS marks a significant evolution in COLDRIVER’s capabilities. Unlike their earlier reliance on phishing for credentials, this new malware is designed specifically for data exfiltration. It focuses on stealing credentials, sensitive documents, and communications from targeted organizations. The malware’s deployment has been observed since early 2025, indicating a strategic shift towards more sophisticated cyber espionage tactics.
Infection Mechanism and Propagation
LOSTKEYS primarily spreads through spear-phishing emails that contain malicious document attachments. These emails are meticulously crafted to appear legitimate, often masquerading as correspondence from trusted partners or government agencies. The attachments exploit previously undisclosed vulnerabilities in popular office productivity software. When a recipient opens the attachment, a multi-stage infection process is initiated silently in the background. This process establishes persistence on the victim’s system while evading detection by conventional security solutions.
Technical Analysis of LOSTKEYS
The infection chain of LOSTKEYS begins with a weaponized document containing obfuscated Visual Basic for Applications (VBA) macros. Upon execution, these macros deploy a PowerShell downloader that retrieves the main LOSTKEYS payload from a remote server. The PowerShell script used in this process is designed to download and execute additional code, further embedding the malware into the system.
Once installed, LOSTKEYS establishes persistence through a combination of registry modifications and the creation of scheduled tasks. It performs environment checks to identify the presence of security tools and executes evasive maneuvers when necessary. The malware communicates with its command-and-control (C2) servers using encrypted channels that mimic legitimate HTTPS traffic, making detection through network monitoring extremely challenging. Its modular architecture allows operators to deploy additional capabilities as needed, tailoring the attack to each specific target.
Impact and Implications
The impact of LOSTKEYS infections has been substantial. Affected organizations have reported significant intellectual property theft and unauthorized access to sensitive communications. The malware’s stealthy nature means many victims remain unaware of its presence for extended periods, allowing attackers to maintain persistent access and continuously harvest valuable data. This prolonged access poses severe risks to national security, economic stability, and the integrity of critical infrastructure.
Response and Mitigation Efforts
In response to the discovery of LOSTKEYS, security agencies across multiple countries have issued alerts warning potential targets about this evolving threat. Organizations are advised to implement robust cybersecurity measures, including regular software updates, employee training on recognizing phishing attempts, and the deployment of advanced threat detection systems. Google’s Threat Intelligence Group has added all known domains and hashes associated with the malware to its Safe Browsing blocklists to disrupt the campaign and prevent further exploitation.
Conclusion
The deployment of LOSTKEYS by COLDRIVER underscores the evolving nature of cyber threats and the increasing sophistication of state-sponsored actors. As these groups continue to develop and deploy advanced malware, it is imperative for organizations to stay vigilant and proactive in their cybersecurity efforts. Continuous monitoring, threat intelligence sharing, and collaboration between public and private sectors are essential to mitigate the risks posed by such advanced persistent threats.
