\nThe post Google Uncovers 'LostKeys’: New Russian Malware in Action appeared first on Android Headlines.
\n
![](\"https:\/\/plus.maciejpiasecki.info\/wp-content\/uploads\/2025\/05\/malware-image-48938493.jpg\")
\nSource: ndroidheadlines.com <\/p>\n","protected":false},"excerpt":{"rendered":"
The shadowy world of cyber espionage has a new player on the field: a sneaky piece of malware dubbed \u201cLostKeys.\u201d According to Google, a Russian state-backed malware crew known as COLDRIVER has been using LostKeys since the start of the year to snoop on Western governments, journalists, think tanks, and non-governmental organizations.<\/p>\n
COLDRIVER isn\u2019t exactly a new kid on the block. Back in December, the UK and its \u201cFive Eyes\u201d intelligence allies pointed the finger at them. The hacking group was directly linked to Russia\u2019s Federal Security Service (FSB), which is basically their counterintelligence and internal security bigwig.<\/p>\n
Google discloses LostKeys, a malware linked to Russia<\/p>\n
Google\u2019s Threat Intelligence Group (GTIG) first spotted LostKeys in January. It seems COLDRIVER has been deploying it in very targeted \u201cClickFix\u201d attacks. Think of these as digital con jobs where they trick people into running dodgy PowerShell scripts. Basically, ClickFix attacks are based on classic social engineering.<\/p>\n
Once those scripts are running, they pave the way for even more PowerShell nastiness to be downloaded and executed. Their main goal is the installation of LostKeys, which Google has identified as a Visual Basic Script (VBS) data theft malware. According to GTIG\u2019s report, LostKeys is like a \u201cdigital vacuum cleaner\u201d that extracts specific files and directories. It also sends system info and runs processes back to the attackers.<\/p>\n
COLDRIVER\u2019s usual MO involves stealing login details to pilfer emails and contacts. However, they\u2019ve also been known to deploy another malware called SPICA for grabbing documents and files. LostKeys seems to be serving a similar purpose, but it\u2019s only brought out for those \u201chighly selective cases.\u201d This suggests that it\u2019s a more specialized tool in COLDRIVER\u2019s espionage toolkit.<\/p>\n
Interestingly, COLDRIVER isn\u2019t the only state-sponsored group dabbling in these ClickFix attacks. The cyber underworld is apparently a fan of this tactic, with groups linked to North Korea (Kimsuky), Iran (MuddyWater), and even other Russian actors (APT28 and UNK_RemoteRogue) all using similar methods in their recent spying campaigns.<\/p>\n
COLDRIVER operating since 2017<\/p>\n
COLDRIVER is also known by a few other aliases, like Star Blizzard and Callisto Group. It has been honing their social engineering and open-source intelligence skills to trick targets since at least 2017. Their targets have ranged from defense and government organizations to NGOs and politicians. The group\u2019s attacks have been increasing, especially after Russia\u2019s invasion of Ukraine, even expanding to defense-industrial sites and US Department of Energy facilities.<\/p>\n
The US State Department has even slapped sanctions on a couple of COLDRIVER operatives (one reportedly an FSB officer). Currently, US authorities are offering a hefty $10 million reward for any tips that could help track down other members. This reflects the level of seriousness with which the US is taking the group.
\nThe post Google Uncovers 'LostKeys’: New Russian Malware in Action appeared first on Android Headlines.
\n
\nSource: ndroidheadlines.com
<\/p>\n","protected":false},"excerpt":{"rendered":"
The shadowy world of cyber espionage has a new player on the field: a sneaky piece of malware dubbed \u201cLostKeys.\u201d […]<\/p>\n","protected":false},"author":67,"featured_media":16335,"comment_status":"false","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16334","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bez-kategorii"],"_links":{"self":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts\/16334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/users\/67"}],"replies":[{"embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/comments?post=16334"}],"version-history":[{"count":1,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts\/16334\/revisions"}],"predecessor-version":[{"id":16336,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts\/16334\/revisions\/16336"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/media\/16335"}],"wp:attachment":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/media?parent=16334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/categories?post=16334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/tags?post=16334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}