LOSTKEYS Malware Campaign Traced to Cold River Threat Group

Threat Group: Cold River (linked to Russia’s Federal Security Service)
Threat Type: Advanced Persistent Threat (APT) Malware
Exploited Vulnerabilities: Not publicly disclosed
Malware Used: LOSTKEYS
Threat Score: 🔥 Critical (9.2/10) – Due to its advanced data exfiltration capabilities, targeting of high-profile entities, and association with a state-sponsored group
Last Threat Observation: May 8, 2025
Overview
On May 7, 2025, Google's Threat Intelligence Group identified a new malware strain named "LOSTKEYS," attributed to the Russian-linked hacking group Cold River. This malware is designed to steal files and transmit system information back to attackers, marking a significant evolution in Cold River’s cyber-espionage toolkit. The group has a history of targeting high-profile individuals and organizations, including NATO affiliates, NGOs, and journalists, primarily for intelligence gathering aligned with Russian strategic goals.
Key Details
- Delivery Method:
While exact delivery vectors for LOSTKEYS remain unconfirmed, historical tactics employed by Cold River suggest spear-phishing campaigns with embedded malicious attachments or hyperlinks are likely. These often impersonate trusted entities or convey urgent geopolitical themes (e.g., Ukraine conflict updates, NATO briefings) to trick users into interacting. - Target:
LOSTKEYS has been deployed against a broad range of high-value individuals and organisations, including:- Advisors and aides to Western government officials
- Military strategists and defence analysts
- Media personnel reporting on Russian foreign policy
- Non-Governmental Organisations (NGOs) operating in Eastern Europe
- Academic institutions studying Russian politics
- Private-sector contractors involved in cyber defence, intelligence, or national infrastructure
- Functions:
- File Theft: Selective targeting of documents, PDFs, spreadsheets, and encrypted data vaults.
- System Information Harvesting: Gathers machine name, OS version, user data, and network configs.
- Credential Harvesting: Scrapes browser credentials and accesses LSASS memory for Windows creds.
- Persistence: Uses registry modifications, scheduled tasks, and potential DLL sideloading.
- Command and Control (C2): Encrypted remote control over infected systems.
- Command Execution: Can run arbitrary attacker-supplied commands or payloads.
- Data Exfiltration Throttling: Mimics user activity to blend exfiltration with normal traffic.
- Evasion and Anti-Analysis: Detects sandboxes/VMs, disables security tools, and clears logs.
- Obfuscation Techniques:
- Modular code packed with layered encryption (XOR, RC4).
- Digitally signed using stolen or fake certs.
- Traffic over common ports like 443/80, disguising as HTTPS.
- Beacon payloads disguised as benign JSON API or telemetry traffic.
- Infrastructure and TTPs:
- Uses Fast Flux DNS and bulletproof hosting.
- Dropper apps disguised as legitimate installers.
- Time-jittered C2 communication to evade behavioral detection.
- Campaign-specific loaders and file names.
- Versioning & Campaign-Specific Variants: Multiple strains of LOSTKEYS exist, customized per campaign. Some focus on stealth exfiltration, others contain destructive logic (e.g., file corruption or boot sector disruption).
Attack Vectors
The following table summarises likely attack vectors observed or inferred in the LOSTKEYS campaign:
Attack Vector | Description |
---|---|
Spear-Phishing Emails | Targeted emails crafted to impersonate trusted sources, with malicious links or attachments. Often themed around geopolitical events or internal documents. |
Credential Harvesting | Use of phishing kits, fake login pages, or man-in-the-middle proxies to steal user credentials. |
Watering Hole Attacks | Compromising frequently visited websites by target groups to silently deliver the malware. |
Exploit Kits | Deployment of browser or software-based exploit kits, particularly on unpatched systems. |
Fake Software Installers | Disguised malware-laden executables mimicking popular software updates (e.g., Adobe, VPN clients). |
Supply Chain Attacks | Potential compromise of third-party service providers or tools to deliver payloads indirectly. |
Removable Media | Although less common, USB-based delivery in air-gapped environments remains a possible vector. |
These vectors highlight a multifaceted approach designed to infiltrate a wide range of targets with minimal detection, combining technical and social engineering tactics.
Known Indicators of Compromise (IoCs)
(Note: The following are illustrative. Always validate through your own threat intel sources)
MD5 File Hashes
- 01c2e1cd50e709f7e861eaab89c69b6f
- 02ce477a07681ee1671c7164c9cc847b
- 09f27d327581a60e8cb4fab92f8f4fa9
- 0a33f637a33df9b31fbb4c1ce71b2fee
- 13f7599c94b9d4b028ce02397717a128
- 28a0596b9c62b7b7aca9cac2a07b0671
- 2a46f07b9d3e2f8f2b3213fa8884b029
- 3233668d2e4a80b17e6357177b53539d
- 3de45e5fc816e62022cd7ab1b01dae9c
- 4c7accba35edd646584bb5a40ab78f96
- 6b85d707c23d68f9518e757cc97adb20
- 6bc411d562456079a8f1e38f3473c33a
- 8af28bb7e8e2f663d4b797bf3ddbee7f
- adc8accb33d0d68faf1d8d56d7840816
- b55cdce773bc77ee46b503dbd9430828
- cc0f518b94289fbfa70b5fbb02ab1847
- de73b08c7518861699e9863540b64f9a
- f659e55e06ba49777d0d5171f27565dd
SHA256 File Hashes
- 28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9
IP Addresses
- 165[.]227[.]148[.]68
- 80[.]66[.]88[.]67
Domains
- cloudmediaportal[.]com
- njala[.]dev
Mitigation and Prevention
- User Awareness: Conduct phishing simulations and training specific to geopolitical lures.
- Email Filtering: Implement DKIM, SPF, DMARC, and sandboxing for attachments.
- Antivirus Protection: Use endpoint detection with behavioral analysis and heuristic scanning.
- Two-Factor Authentication (2FA): Enforce across all remote access and cloud platforms.
- Monitor Logs: Review authentication logs, outbound traffic anomalies, and registry changes.
- Regular Updates: Patch VPNs, email clients, and operating systems without delay.
Risk Assessment
LOSTKEYS represents a critical threat with geopolitical significance. Its link to the FSB-backed Cold River APT group and its use in targeting sensitive personnel and infrastructure underscores a broader campaign of state-sponsored cyberespionage. Organizations in government, defence, media, and NGOs must treat this malware as a severe risk to data integrity, national security, and public safety.
Conclusion
The LOSTKEYS malware campaign illustrates the ever-evolving capabilities of Russia-linked threat actors. This attack highlights the critical need for global cybersecurity readiness, rapid threat intelligence dissemination, and hardened defences against both technical and human-centric vectors.
Defenders are encouraged to watch for new IoCs, update detection rulesets, and initiate internal threat hunts in high-risk sectors.
Sources:
- SC Media - Novel malware used in West-targeted COLDRIVER intrusions - https://www.scworld.com/brief/novel-malware-used-in-west-targeted-coldriver-intrusions
- Bleeping Computer - Google links new LostKeys data theft malware to Russian cyberspies - https://www.bleepingcomputer.com/news/security/google-links-new-lostkeys-data-theft-malware-to-russian-cyberspies/
- Reuters - Google identifies new malware linked to Russia-based hacking group - https://www.reuters.com/technology/cybersecurity/google-identifies-new-malware-linked-russia-based-hacking-group-2025-05-07/
- Google - COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs - https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
- OTX AlienVault - Indicators Of Compromise (IoCs) - https://otx.alienvault.com/pulse/681ba0e01c36344c7ac60892