Ethical Hacking News
Google has linked a new data theft malware called LostKeys to Russian cyberspies, highlighting the growing concern over state-backed threat actors in global cyber attacks. The malware, used by the ColdRiver group, is capable of stealing files and sending system information to attackers. This latest development follows other recent operations by the ColdRiver group, which have been linked to Russian government agencies.
LostKeys malware linked to Russian cyberspies, specifically the ColdRiver hacking group. ColdRiver group uses social engineering tactics and open-source intelligence skills since at least 2017. Malware steals files from hard-coded list of extensions and directories, sends system information, and runs processes to attackers. Operations linked to Russian government agencies, with Five Eyes warning of spear-phishing attacks in December 2023. $10 million reward offered by US State Department for tips on ColdRiver members. Discovery highlights growing concern over role of Russian state-backed threat actors in global cyber attacks.
Google has recently shed light on a sophisticated data theft malware known as LostKeys, which has been linked to Russian cyberspies. The malware, first detected by Google's Threat Intelligence Group (GTIG) in January 2025, is being used by the ColdRiver hacking group, a state-backed threat actor that has been involved in espionage attacks targeting Western governments, journalists, think tanks, and non-governmental organizations.
The ColdRiver group, also known as Star Blizzard, Callisto Group, or Seaborgium, has been using social engineering tactics and open-source intelligence skills to research and lure targets since at least 2017. The group's operations have expanded to include spear-phishing attacks against defense, governmental organizations, NGOs, and politicians, with a particular focus on NATO countries.
Google GTIG observed that the LostKeys malware is capable of stealing files from a hard-coded list of extensions and directories, as well as sending system information and running processes to the attacker. The malware is designed to achieve a similar goal to other ColdRiver malware, such as SPICA, which is used to access documents on the target system.
The ColdRiver group's operations have been linked to Russian government agencies, with Five Eyes cyber agencies warning in December 2023 of their spear-phishing attacks against defense, governmental organizations, NGOs, and politicians. The U.S. State Department sanctioned two ColdRiver operators, including an FSB officer, in December 2023, who were also indicted by the U.S. Justice Department for their involvement in a global hacking campaign coordinated by the Russian government.
The State Department now offers up to $10 million in rewards for tips that could help law enforcement locate or identify other ColdRiver members. This latest development highlights the growing concern over the role of Russian state-backed threat actors in global cyber attacks.
In addition to the LostKeys malware, Google GTIG has also tracked other threat actors, including Kimsuky (North Korea), MuddyWater (Iran), APT28, and UNK_RemoteRogue (Russia), which have all used similar tactics in their espionage campaigns.
The discovery of the LostKeys malware and its link to Russian cyberspies underscores the need for increased awareness and vigilance among individuals and organizations. As cyber attacks continue to evolve and become more sophisticated, it is essential that we stay informed about the latest threats and take steps to protect ourselves.
Related Information:
https://www.ethicalhackingnews.com/articles/Uncovering-the-Shadowy-World-of-LostKeys-A-Malware-Linked-to-Russian-Cyberspies-ehn.shtml
https://www.bleepingcomputer.com/news/security/google-links-new-lostkeys-data-theft-malware-to-russian-cyberspies/
https://www.securityweek.com/google-finds-data-theft-malware-used-by-russian-apt-in-select-cases/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
https://attack.mitre.org/groups/G0094/
http://www.la-cyber.com/Current-Threat-Data.php?id=3814
https://malpedia.caad.fkie.fraunhofer.de/actor/unk_remoterogue
https://www.scworld.com/news/us-uk-accuse-russias-callisto-group-of-cyber-espionage-political-interference
https://www.securityweek.com/russian-espionage-apt-callisto-focuses-ukraine-war-support-organizations/
https://en.wikipedia.org/wiki/Fancy_Bear
https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/
https://thehackernews.com/2025/04/state-sponsored-hackers-weaponize.html
https://www.msn.com/en-us/news/technology/state-sponsored-actors-spotted-using-clickfix-hacking-tool-developed-by-criminals/ar-AA1Dc82m
Published: Thu May 8 09:14:53 2025 by llama3.2 3B Q4_K_M
