Appalled by this irreparable lack of documentation, a new malware strain, called “LOSTKEYS,” has been discovered by Google’s Threat Intelligence Group and has been linked to the Russian state-backed hacking group Cold River, or COLDRIVER, UNC4057, Star Blizzard, or Callisto. This is a big leap for Cold River from the point of view of cyber espionage, moving from credential thefts to more advanced data exfiltration techniques.
To get into systems and snatch files from directories and file types and upload system information and processes then send to the attackers, LOSTKEYS is special crafted. The evolution of Cold River’s kit is part of a strategic move towards gathering a complete set of intelligence. The way this malware has been programmed appears to have been designed to get up close and personal with sensitive documents and the system’s exploits in order to allow them to continue to conduct prolonged surveillance and data collection.
According to Cold River, it has been targeting high profile entities, including NATO affiliated individuals, NGOs, journalists, and individuals jousting NATO and Western governments. They work in service of the Russian interest and gather intelligence, which can possibly influence the geopolitical dynamics. In 2022, Cold River was moreover implicated in a series of cyberattacks on US nuclear research laboratories and the unauthorized release of emails from Richard Dearlove, former British intelligence chief, and pro Brexit figures.
The early 2025 campaigns have been found to show a similar focus on Ukraine related entities and entities connected to Western military and governments. The inclusion of LOSTKEYS demonstrates that the group has been making efforts to bolster its cyber espionage arsenal to be able to more readily penetrate and collect data more efficiently.
Google’s proactive identification and disclosure of LOSTKEYS is an important warning to those in industries that are targeted for state sponsored cyber attacks. To emphasize that cybersecurity should be robust, descend into regular system audits, employee training for detection and safety avoidance of phishing and social engineering practices, or even advanced threat detection systems.
In addition, the discovery of LOSTKEYS also signals the possibility of other state affiliated or independent threat actor that may develop and deploy malware like LOSTKEYS in the future. This shows how critical international cooperation in the sphere of sharing cybersecurity intelligence and the development of a coherent approach on how to limit the incidence of executable cyber spying artefacts is.
As you grow, cyber threats grow, and entities have to continue to be watchful and transitioned to changes, ensuring that its cybersecurity frameworks are able to fight and adapt against the intricacies of modern day cyber espionage tactics, as seen in LOSTKEYS.
