Google has uncovered a new strain of malware, “LOSTKEYS,” linked to the Russian-aligned hacking group Cold River, also associated with the Russian Federal Security Service (FSB).
The malware represents a significant escalation in the group’s cyber espionage activities, targeting sensitive figures and organisations to steal files and system data.
LOSTKEYS is designed to infiltrate systems stealthily, extracting specific files such as documents, spreadsheets, and login credentials.
The malware’s capabilities extend to collecting valuable system information, which is then transmitted back to Cold River’s operators.
According to Google’s Wesley Shields, LOSTKEYS “marks a new development in the toolset” of the hacking group, enabling them to broaden their espionage toolkit.
The malware operates with remarkable precision, targeting particular files stored in designated directories, all while remaining undetected.
Its stealthy approach allows Cold River to gather critical intelligence without alerting its targets, making it a highly effective tool in their cyber operations.
Cold River, previously identified under various aliases, has a long track record of cyberattacks aimed at high-profile individuals and institutions across the West.
The group is primarily focused on gathering intelligence to advance Russian geopolitical interests.
In recent months, between January and April 2025, Cold River has targeted Western government advisers, both current and former, along with military personnel, journalists, and members of international think tanks.
Notably, individuals with links to the Ukraine conflict have also been on the group’s radar.
These ongoing attacks align with Cold River’s strategic objective: intelligence collection.
The deployment of LOSTKEYS begins with a fake CAPTCHA page.
This page tricks the user into executing a malicious command, which sets the malware in motion.
After the user interacts with it, malicious PowerShell code is copied to their clipboard, and they are then tricked into running it through the Windows "run" dialog.
Once the command is executed, the malware begins downloading and installing on the target device, starting with a verification process to confirm the legitimacy of the device.
Once installed, LOSTKEYS runs silently in the background, extracting sensitive files, login details, and system data without alerting the user.
This advanced targeting system ensures that the malware is deployed only on high-value targets, maximising the impact of each attack.
Cold River has previously garnered attention for its bold and audacious operations.
In mid-2022, the group was accused of launching cyberattacks on three nuclear research facilities in the United States.
Later in the same year, it was implicated in the leak of private emails belonging to former British intelligence chief Sir Richard Dearlove, as well as several individuals tied to pro-Brexit activities.
These operations were part of a broader effort to gather intelligence on sensitive geopolitical issues, furthering Russian interests.
The continued evolution of Cold River’s cyber capabilities, including the use of the LOSTKEYS malware, marks a troubling escalation in the sophistication of state-sponsored hacking operations.
The rise of LOSTKEYS has prompted cybersecurity experts to raise alarms about the growing threat posed by state-sponsored hacking groups like Cold River.
As these groups refine their tactics, organisations and individuals in sensitive sectors, particularly those involved in political and military activities, are increasingly vulnerable to attacks aimed at stealing confidential information.
Google’s Threat Intelligence Group has urged targeted organisations to adopt stronger security measures, including regular updates to their systems and enhanced monitoring protocols, to mitigate the risks posed by such sophisticated cyber threats.
Hong Kong now allows cryptocurrencies like Bitcoin and Ethereum as proof of net worth for its investment visa. However, crypto cannot be used for the required investment after visa approval.
AnaisAlibaba’s stock jumped 8% after announcing its AI partnership with Apple, which will use Alibaba’s vast user data to develop tailored AI tools for China.
KikyoWorld Liberty Financial, backed by the Trump family, launched a strategic token reserve to support cryptocurrencies like Bitcoin and Ethereum, aiming to stabilize the market and strengthen DeFi. This initiative is part of the family's growing influence in the crypto industry, with WLF already accumulating significant assets and making moves to connect crypto with mainstream investors.
WeatherlyPi Network will launch its Open Network on 20 February 2025, ending its Enclosed Mainnet phase. With 10.14 million migrations and 19 million verified Pioneers, this transition unlocks Pi’s ecosystem for real-world use, enabling integration with other compliant systems.
CatherineHoliday scams in the UK are rising, with AI-generated images and social media making it easier for fraudsters to deceive consumers. Many holidaymakers, especially young people, are falling victim to scams due to the allure of cheap deals and influencer promotions.
WeatherlyCertiK audited the code behind a stablecoin used by Huione, a platform linked to human trafficking and illegal activities. The firm has apologised and promised to improve its vetting process after failing to fully investigate the project's risks.
AnaisOpenAI is launching GPT-5 to enhance usability, but CEO Sam Altman warned that users may eventually need to cover compute costs which has sparked criticism. Is Altman that hard up for money?
CatherineEstonian nationals Sergei Potapenko and Ivan Turogin have agreed to surrender all claims to digital assets seized by US authorities as part of their plea agreement. To date, $350 million has already been returned to victims.
KikyoThe US released Russian national Alexander Vinnik in a prisoner swap for American teacher Marc Fogel, who was detained in Russia on drug charges. Vinnik was convicted of laundering billions through his cryptocurrency exchange BTC-e.
AnaisAdobe’s Firefly Video Model enters the AI video space, competing with OpenAI’s Sora and startup Runway. Its key advantage lies in its seamless integration with Premiere Pro, giving it a potential edge in professional video editing. But will it challenge OpenAI, or remain a limited competitor?
Catherine