The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures.
“LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” the Google Threat Intelligence Group (GTIG) said.
The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out.
LOSTKEYS is the second custom malware attributed to COLDRIVER after SPICA, marking a continued departure from the credential phishing campaigns the threat actor has been known for. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057.
“They are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and steal contact lists from the compromised account,” security researcher Wesley Shields said. “In select cases, COLDRIVER also delivers malware to target devices and may attempt to access files on the system.”
The latest set of attacks commences with a decoy website containing a fake CAPTCHA verification prompt, where victims are instructed to open the Windows Run dialog and paste a PowerShell command copied to the clipboard, a widely popular social engineering technique dubbed ClickFix.
The PowerShell command is designed to download and execute the next payload from a remote server (“165.227.148[.]68”), which acts as a downloader for a third-stage but not before performing checks in a likely effort to evade execution in virtual machines.
A Base64-encoded blob, the third-stage payload is decoded into a PowerShell script that’s responsible for executing LOSTKEYS on the compromised host, allowing the threat actor to harvest system information, running processes, and files from a hard-coded list of extensions and directories.
Like in the case of SPICA, it’s been assessed that the malware is only deployed selectively, indicative of the highly-targeted nature of these attacks.
Google also said it uncovered additional LOSTKEYS artifacts going back to December 2023 that masqueraded as binaries related to the Maltego open-source investigation platform. It’s not known if these samples have any ties to COLDRIVER, or if the malware was repurposed by the threat actors starting January 2025.
ClickFix Adoption Continues to Grow
The development comes as ClickFix continues to be steadily adopted by multiple threat actors to distribute a wide range of malware families, including a banking trojan called Lampion and Atomic Stealer.
Attacks propagating Lampion, per Palo Alto Networks Unit 42, use phishing emails bearing ZIP file attachments as lures. Present within the ZIP archive is an HTML file that redirects the message recipient to a fake landing page with ClickFix instructions to launch the multi-stage infection process.
“Another interesting aspect of Lampion’s infection chain is that it is divided into several non-consecutive stages, executed as separate processes,” Unit 42 said. “This dispersed execution complicates detection, as the attack flow does not form a readily identifiable process tree. Instead, it comprises a complex chain of individual events, some of which could appear benign in isolation.”
The malicious campaign targeted Portuguese-speaking individuals and organizations in various sectors, including government, finance, and transportation, the company added.
In recent months, the ClickFix strategy has also been combined with another sneaky tactic called EtherHiding, which involves using Binance’s Smart Chain (BSC) contracts to conceal the next-stage payload, ultimately leading to the delivery of a macOS information stealer called Atomic Stealer.
“Clicking ‘I’m not a robot’ triggers a Binance Smart Contract, using an EtherHiding technique, to deliver a Base64-encoded command to the clipboard, which users are prompted to run in Terminal via macOS-specific shortcuts (⌘ + Space, ⌘ + V),” an independent researcher who goes by the alias Badbyte said. “This command downloads a script that retrieves and executes a signed Mach-O binary, confirmed as Atomic Stealer.”
Further investigation has found that the campaign has likely compromised about 2,800 legitimate websites to serve fake CAPTCHA prompts. The large-scale watering hole attack has been codenamed MacReaper by the researcher.
“The attack leverages obfuscated JavaScript, three full-screen iframes, and blockchain-based command infrastructure to maximize infections,” the researcher added.
