COLDRIVER using new malware to steal from Western targets — Google
Threat group COLDRIVER is utilizing new malware named LOSTKEYS to steal documents from Western targets. The malware installation involves a lure website with a fake CAPTCHA, a PowerShell script, device evasion, and final payload retrieval. LOSTKEYS can steal files, send system information, and report running processes back to COLDRIVER. The attack originates from the IP address 165.227.148[.]68. Google has implemented measures to mitigate the malware's impact by adding malicious websites to its Safe Browsing feature. COLDRIVER, a Russian-backed group, has shifted from phishing to more advanced attacks, previously using malware called Spica. In 2025, crypto hacks have surged, with losses reaching $2 billion in Q1 alone, surpassing total losses from 2024. Key vulnerabilities include operational flaws and weak access controls, with attackers employing social engineering tactics. A significant contributor to these losses was the $1.5 billion hack of cryptocurrency exchange Bybit, attributed to the Lazarus Group.
