Skip to main content

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Medium
Published: Wed May 07 2025 (05/07/2025, 18:05:20 UTC)
Source: AlienVault OTX General

Description

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving PowerShell commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against NGOs.

AI-Powered Analysis

AILast updated: 07/07/2025, 17:26:14 UTC

Technical Analysis

COLDRIVER is a Russian government-backed threat actor that has developed a new malware strain named LOSTKEYS, designed primarily for espionage and intelligence collection. LOSTKEYS targets Western governments, militaries, journalists, NGOs, and individuals connected to Ukraine, including former intelligence officers. The infection vector begins with credential phishing campaigns that lure victims into interacting with a fake CAPTCHA, initiating a multi-stage infection chain. This chain leverages PowerShell commands to deploy the malware payload. LOSTKEYS employs advanced evasion techniques such as detecting virtual machine environments to avoid sandbox analysis and uses a substitution cipher to decode its payload, complicating detection and analysis. The malware is capable of stealing documents and system information, facilitating the exfiltration of sensitive data. COLDRIVER’s operations have been linked to hack-and-leak campaigns in the UK and against NGOs, underscoring their focus on high-value intelligence targets. The malware’s tactics, techniques, and procedures (TTPs) include credential theft, document theft, use of PowerShell for execution, and network reconnaissance, aligning with MITRE ATT&CK techniques such as T1566 (Phishing), T1059.001 (PowerShell), T1005 (Data from Local System), and T1102 (Web Service). Despite the lack of known exploits in the wild, the threat is credible given the actor’s history and strategic targeting.

Potential Impact

For European organizations, especially governmental bodies, NGOs, and entities involved in Ukraine-related activities, the impact of LOSTKEYS can be significant. The theft of sensitive documents and credentials can lead to exposure of confidential information, undermining operational security and diplomatic efforts. Intelligence gathered through this malware could be used to influence political decisions, disrupt military operations, or damage reputations through subsequent leak campaigns. NGOs working on human rights or conflict zones may face operational setbacks and loss of donor trust if their data is compromised. The use of sophisticated evasion techniques increases the risk of prolonged undetected presence within networks, amplifying potential damage. Additionally, the targeting of former intelligence officers and journalists suggests a broad scope that could affect information dissemination and public awareness in Europe.

Mitigation Recommendations

European organizations should implement targeted defenses beyond generic advice. First, enhance phishing detection and user training focused on recognizing fake CAPTCHAs and suspicious credential requests. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and unusual script execution patterns. Network monitoring should include detection of anomalous web service communications indicative of data exfiltration (T1102). Employ sandbox environments that can bypass VM detection to analyze suspicious files. Enforce strict application whitelisting and PowerShell constrained language mode to limit unauthorized script execution. Regularly audit and restrict administrative privileges to reduce the impact of credential theft. Implement multi-factor authentication (MFA) to mitigate the risk of compromised credentials being used for lateral movement. Finally, share threat intelligence related to COLDRIVER and LOSTKEYS within European cybersecurity communities to improve collective defense.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos"]
Adversary
COLDRIVER
Pulse Id
681ba0e01c36344c7ac60892
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domaincloudmediaportal.com
domainnjala.dev

Hash

ValueDescriptionCopy
hash09b740bb082b465fcc9f8a7766984317
MD5 of e7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c
hash15ecd6b5a2df7ccabbab3cd3b42c443d
MD5 of 94bfd6fba2dec53a4df9b815d1f7dc150b37d4af
hash688c01c49525df877d4bc28aa534d31d
MD5 of 0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9
hash6d23b468ea963bfa21a29891217d6a86
hashaef72f5dcdf97aa2970a76ababe6b640
MD5 of 56b0d6d7fb81b77c0713361f0b95994d19414bf1
hashda8b74efc6f4ff7491829c6745da220c
MD5 of bd907c2512facbeef31d4e683828dfece01849e2
hashde4bf7af4195667a6710f7ad56bf52c0
MD5 of ff9824395c18e1cf70960862654eb0a8b012eeaa
hashdee8d82d931f91d94086dc3d8e56394f
hashf91705e56983ba3c3cd940d62bc2ed35
MD5 of de2e039c69f6f4f5af23d4eac2d3235e2ce4f20c
hash0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9
hash3c4a0f254b598c107c8b3375ab4cd5c9c7717587
hash56b0d6d7fb81b77c0713361f0b95994d19414bf1
hash94bfd6fba2dec53a4df9b815d1f7dc150b37d4af
hasha408c34b61d82b05838be1cc3862656db25a4cfe
hashbd907c2512facbeef31d4e683828dfece01849e2
hashde2e039c69f6f4f5af23d4eac2d3235e2ce4f20c
hashe7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c
hashff9824395c18e1cf70960862654eb0a8b012eeaa
hash02ce477a07681ee1671c7164c9cc847b01c2e1cd50e709f7e861eaab89c69b6f
hash13f7599c94b9d4b028ce02397717a1282a46f07b9d3e2f8f2b3213fa8884b029
SHA256 of ff9824395c18e1cf70960862654eb0a8b012eeaa
hash28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9
SHA256 of de2e039c69f6f4f5af23d4eac2d3235e2ce4f20c
hash3233668d2e4a80b17e6357177b53539df659e55e06ba49777d0d5171f27565dd
SHA256 of bd907c2512facbeef31d4e683828dfece01849e2
hash4c7accba35edd646584bb5a40ab78f963de45e5fc816e62022cd7ab1b01dae9c
SHA256 of 94bfd6fba2dec53a4df9b815d1f7dc150b37d4af
hash6b85d707c23d68f9518e757cc97adb20adc8accb33d0d68faf1d8d56d7840816
SHA256 of e7b6bfbfb6e496e57ceaba00fabe7df1d6b5061c
hash6bc411d562456079a8f1e38f3473c33ade73b08c7518861699e9863540b64f9a
SHA256 of 0ac32fd4e6ef96163084fdb09d05e1ae7124e6d9
hash8af28bb7e8e2f663d4b797bf3ddbee7f0a33f637a33df9b31fbb4c1ce71b2fee
SHA256 of 56b0d6d7fb81b77c0713361f0b95994d19414bf1
hashb55cdce773bc77ee46b503dbd9430828cc0f518b94289fbfa70b5fbb02ab1847

Threat ID: 68421305182aa0cae2f2a22d

Added to database: 6/5/2025, 9:58:29 PM

Last enriched: 7/7/2025, 5:26:14 PM

Last updated: 8/14/2025, 11:27:23 PM

Views: 23

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats