Google has uncovered a new strain of malware, “LOSTKEYS,” linked to the Russian-aligned hacking group Cold River, also associated with the Russian Federal Security Service (FSB).
The malware represents a significant escalation in the group’s cyber espionage activities, targeting sensitive figures and organisations to steal files and system data.
LOSTKEYS is designed to infiltrate systems stealthily, extracting specific files such as documents, spreadsheets, and login credentials.
The malware’s capabilities extend to collecting valuable system information, which is then transmitted back to Cold River’s operators.
According to Google’s Wesley Shields, LOSTKEYS “marks a new development in the toolset” of the hacking group, enabling them to broaden their espionage toolkit.
The malware operates with remarkable precision, targeting particular files stored in designated directories, all while remaining undetected.
Its stealthy approach allows Cold River to gather critical intelligence without alerting its targets, making it a highly effective tool in their cyber operations.
Cold River, previously identified under various aliases, has a long track record of cyberattacks aimed at high-profile individuals and institutions across the West.
The group is primarily focused on gathering intelligence to advance Russian geopolitical interests.
In recent months, between January and April 2025, Cold River has targeted Western government advisers, both current and former, along with military personnel, journalists, and members of international think tanks.
Notably, individuals with links to the Ukraine conflict have also been on the group’s radar.
These ongoing attacks align with Cold River’s strategic objective: intelligence collection.
The deployment of LOSTKEYS begins with a fake CAPTCHA page.
This page tricks the user into executing a malicious command, which sets the malware in motion.
After the user interacts with it, malicious PowerShell code is copied to their clipboard, and they are then tricked into running it through the Windows "run" dialog.
Once the command is executed, the malware begins downloading and installing on the target device, starting with a verification process to confirm the legitimacy of the device.
Once installed, LOSTKEYS runs silently in the background, extracting sensitive files, login details, and system data without alerting the user.
This advanced targeting system ensures that the malware is deployed only on high-value targets, maximising the impact of each attack.
Cold River has previously garnered attention for its bold and audacious operations.
In mid-2022, the group was accused of launching cyberattacks on three nuclear research facilities in the United States.
Later in the same year, it was implicated in the leak of private emails belonging to former British intelligence chief Sir Richard Dearlove, as well as several individuals tied to pro-Brexit activities.
These operations were part of a broader effort to gather intelligence on sensitive geopolitical issues, furthering Russian interests.
The continued evolution of Cold River’s cyber capabilities, including the use of the LOSTKEYS malware, marks a troubling escalation in the sophistication of state-sponsored hacking operations.
The rise of LOSTKEYS has prompted cybersecurity experts to raise alarms about the growing threat posed by state-sponsored hacking groups like Cold River.
As these groups refine their tactics, organisations and individuals in sensitive sectors, particularly those involved in political and military activities, are increasingly vulnerable to attacks aimed at stealing confidential information.
Google’s Threat Intelligence Group has urged targeted organisations to adopt stronger security measures, including regular updates to their systems and enhanced monitoring protocols, to mitigate the risks posed by such sophisticated cyber threats.
Hamster Kombat has garnered over 150 million users before its upcoming July debut on TON, marking significant pre-launch success. With rapid growth in user numbers and social media followers in recent months, the outlook for players and the impending token launch looks promising.
CatherineBeneath Telegram games' gloss, risks and fraud lurk. Notcoin's founder Sasha questions the longevity of button-mashing games amidst Toncoin and Notcoin's declining values.
KikyoTelegram's TON blockchain benefits from the popularity of games like Hamster Kombat, engaging millions and promoting blockchain familiarity, while TapSwap faces delays in token distribution, impacting its community and future engagement plans.
WeatherlyZKsync’s recent airdrop saw nearly half of the top recipients selling their tokens, sharply dropping ZK's price. This led to criticism of ZKsync’s airdrop criteria and network issues, with critics arguing that anti-Sybil attack measures were insufficient. Will the price continue to decline?
CatherineMystiko's $XZK token faced a steep decline in value following its exchange debut, despite strong initial community support and a successful funding round.
AnaisSources suggest that President Biden’s re-election campaign is considering accepting crypto donations. Is Biden attempting to appeal to crypto voters like Trump, or has his previously anti-crypto stance softened?
KikyoSolChat offers a blockchain-based communication platform with features like encrypted messaging and wallet-to-wallet streaming. Despite its potential, its $CHAT token has dropped nearly 90% from its peak.
Weatherly
AlexEigenLayer just launched the 2nd phase of its airdrop claims and added a security feature against Sybil and DDoS attacks. However, criticisms abound since Phase One about the airdrop terms. Details for Season Two’s token distribution will be announced soon.
CatherineSaltwater Games, a UK-based gaming company, is making strides in Web3 with acquisitions like Nexus Labs and Maze Theory, aiming to integrate blockchain and XR tech for immersive player experiences. Their $XR Token, backed by Animoca Brands, fuels their XR One platform, set to revolutionize gaming with cross-community benefits and digital ownership.
Joy