HQ/EMEAFind out how we can help your business
Since early 2025, the Russian state-sponsored hacking group ColdRiver has been using a new malware variant called LostKeys in targeted espionage operations.
These attacks mainly target Western governments, journalists, think tanks, and non-governmental organisations.
In December 2024, the United Kingdom and its allies officially associated ColdRiver’s activities with Russia’s Federal Security Service (FSB), the country’s internal security and counterintelligence agency.
According to Google’s Threat Intelligence Group, the LostKeys malware was initially identified during highly specific ClickFix social engineering attacks in January.
In these cases, threat actors tricked victims into running malicious PowerShell scripts, which then downloaded additional malware, leading to the use of a Visual Basic Script (VBS), LostKeys, created to steal files and system information.
GTIG reported that LostKeys can take files from a specified list of extensions and directories and send system details and active processes back to the attackers.
The ColdRiver threat group may have utilised the new LostKeys malware, which has features similar to those of a previously utilised payload.
While ColdRiver is more commonly recognised for credential theft and email espionage, it has also used malware such as SPICA to gain deeper access to victims’ documents. LostKeys is believed to have a similar role and is employed selectively.
ColdRiver, which is also tracked under names like Star Blizzard, Callisto Group, and Seaborgium, has executed cyber operations using social engineering and open-source intelligence (OSINT) tactics since at least 2017.
It is not the sole nation-backed threat group using ClickFix tactics; North Korea’s Kimsuky, Iran’s MuddyWater, and other Russian factions like APT 28 and UNK _ Remoterogue have also recently adopted similar strategies.
In December 2023, intelligence agencies warned about ColdRiver’s spear-phishing activities, which targeted government, defence, and NGO targets. Their efforts also impacted defence industrial firms and U.S. Department of Energy sites.
In 2022, MSTIC disrupted another ColdRiver campaign involving Microsoft accounts used to spy on NATO-affiliated organisations and individuals.
The U.S. State Department is currently offering up to $10 million for tips and details leading to the identification or location of other ColdRiver operatives.
