COLDRIVER is a Russian government-backed threat actor that has developed a new malware strain named LOSTKEYS, designed primarily for espionage and intelligence collection. LOSTKEYS targets Western governments, militaries, journalists, NGOs, and individuals connected to Ukraine, including former intelligence officers. The infection vector begins with credential phishing campaigns that lure victims into interacting with a fake CAPTCHA, initiating a multi-stage infection chain. This chain leverages PowerShell commands to deploy the malware payload. LOSTKEYS employs advanced evasion techniques such as detecting virtual machine environments to avoid sandbox analysis and uses a substitution cipher to decode its payload, complicating detection and analysis. The malware is capable of stealing documents and system information, facilitating the exfiltration of sensitive data. COLDRIVER’s operations have been linked to hack-and-leak campaigns in the UK and against NGOs, underscoring their focus on high-value intelligence targets. The malware’s tactics, techniques, and procedures (TTPs) include credential theft, document theft, use of PowerShell for execution, and network reconnaissance, aligning with MITRE ATT&CK techniques such as T1566 (Phishing), T1059.001 (PowerShell), T1005 (Data from Local System), and T1102 (Web Service). Despite the lack of known exploits in the wild, the threat is credible given the actor’s history and strategic targeting.

For European organizations, especially governmental bodies, NGOs, and entities involved in Ukraine-related activities, the impact of LOSTKEYS can be significant. The theft of sensitive documents and credentials can lead to exposure of confidential information, undermining operational security and diplomatic efforts. Intelligence gathered through this malware could be used to influence political decisions, disrupt military operations, or damage reputations through subsequent leak campaigns. NGOs working on human rights or conflict zones may face operational setbacks and loss of donor trust if their data is compromised. The use of sophisticated evasion techniques increases the risk of prolonged undetected presence within networks, amplifying potential damage. Additionally, the targeting of former intelligence officers and journalists suggests a broad scope that could affect information dissemination and public awareness in Europe.

European organizations should implement targeted defenses beyond generic advice. First, enhance phishing detection and user training focused on recognizing fake CAPTCHAs and suspicious credential requests. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and unusual script execution patterns. Network monitoring should include detection of anomalous web service communications indicative of data exfiltration (T1102). Employ sandbox environments that can bypass VM detection to analyze suspicious files. Enforce strict application whitelisting and PowerShell constrained language mode to limit unauthorized script execution. Regularly audit and restrict administrative privileges to reduce the impact of credential theft. Implement multi-factor authentication (MFA) to mitigate the risk of compromised credentials being used for lateral movement. Finally, share threat intelligence related to COLDRIVER and LOSTKEYS within European cybersecurity communities to improve collective defense.