{ "id": "0a30247d-f68f-4e76-93fa-a28b7ef263db", "created_at": "2026-04-06T00:20:09.029604Z", "updated_at": "2026-04-10T03:35:41.967418Z", "deleted_at": null, "sha1_hash": "d8bb807b5b8dbc34a151daa220f3620aa74abc8e", "title": "COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 560709, "plain_text": "COLDRIVER Using New Malware To Steal Documents From\r\nWestern Targets and NGOs\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-05-07 · Archived: 2026-04-05 17:55:47 UTC\r\nWritten by: Wesley Shields\r\nGoogle Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to\r\nthe Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and\r\nCallisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with\r\nsending system information and running processes to the attacker. Observed in January, March, and April 2025,\r\nLOSTKEYS marks a new development in the toolset of COLDRIVER, a group primarily known for credential\r\nphishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and\r\nformer intelligence and diplomatic officers. GTIG has been tracking COLDRIVER for many years, including their\r\nSPICA malware in 2024.\r\nCOLDRIVER typically targets high-profile individuals at their personal email addresses or at NGO addresses.\r\nThey are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and\r\nsteal contact lists from the compromised account. In select cases, COLDRIVER also delivers malware to target\r\ndevices and may attempt to access files on the system.\r\nRecent targets in COLDRIVER’s campaigns have included current and former advisors to Western governments\r\nand militaries, as well as journalists, think tanks, and NGOs. The group has also continued targeting individuals\r\nconnected to Ukraine. We believe the primary goal of COLDRIVER’s operations is intelligence collection in\r\nsupport of Russia’s strategic interests. In a small number of cases, the group has been linked to hack-and-leak\r\ncampaigns targeting officials in the UK and an NGO.\r\nTo safeguard at-risk users, we use our research on serious threat actors like COLDRIVER to improve the safety\r\nand security of Google’s products. We encourage potential targets to enroll in Google's Advanced Protection\r\nProgram, enable Enhanced Safe Browsing for Chrome, and ensure that all devices are updated.\r\nStage 1 — It Starts With A Fake CAPTCHA\r\nLOSTKEYS is delivered at the end of a multi-step infection chain that starts with a lure website with a fake\r\nCAPTCHA on it. Once the CAPTCHA has been “verified,” PowerShell is copied to the users clipboard and the\r\npage prompts the user to execute the PowerShell via the “run” prompt in Windows:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 1 of 7\n\nThe first stage PowerShell that is pasted in will fetch and execute the second stage. In multiple observed cases, the\r\nsecond stage was retrieved from 165.227.148[.]68.\r\nCOLDRIVER is not the only threat actor to deliver malware by socially engineering their targets to copy, paste,\r\nand then execute PowerShell commands—a technique commonly called “ClickFix.” We have observed multiple\r\nAPT and financially motivated actors use this technique, which has also been widely reported publicly. Users\r\nshould exercise caution when encountering a site that prompts them to exit the browser and run commands on\r\ntheir device, and enterprise policies should implement least privilege and disallow users from executing scripts by\r\ndefault.\r\nStage 2 — Device Evasion\r\nThe second stage calculates the MD5 hash of the display resolution of the device and if the MD5 is one of three\r\nspecific values it will stop execution, otherwise it will retrieve the third stage. This step is likely done to evade\r\nexecution in VMs. Each observed instance of this chain uses different, unique identifiers that must be present in\r\nthe request to retrieve the next stage. In all observed instances the third stage is retrieved from the same host as the\r\nprevious stages.\r\nStage 3 — Retrieval of the Final Payload\r\nThe third stage is a Base64-encoded blob, which decodes to more PowerShell. This stage retrieves and decodes\r\nthe final payload. To do this it pulls down two more files, from the same host as the others, and again using\r\ndifferent unique identifiers per infection chain.\r\nThe first is a Visual Basic Script (VBS) file, which we call the “decoder” that is responsible for decoding the\r\nsecond one. The decoding process uses two keys, which are unique per infection chain. The decoder has one of the\r\nunique keys and the second key is stored in stage 3. The keys are used in a substitution cipher on the encoded\r\nblob, and are unique to each infection chain. A Python script to decode the final payload is:\r\n# Args: encoded_file Ah90pE3b 4z7Klx1V\r\nimport base64\r\nimport sys\r\nif len(sys.argv) != 4:\r\n print(\"Usage: decode.py file key1 key2\")\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 2 of 7\n\nsys.exit(1)\r\nif len(sys.argv[2]) != len(sys.argv[3]):\r\n print(\"Keys must be the same length\")\r\n sys.exit(1)\r\nwith open(sys.argv[1], 'r') as f:\r\n data = f.read()\r\nx = sys.argv[2]\r\ny = sys.argv[3]\r\nfor i in range(len(x)):\r\n data = data.replace(x[i], '!').replace(y[i], x[i]).replace('!', y[i])\r\nwith open(sys.argv[1] + '.out', 'wb') as f:\r\n f.write(base64.b64decode(data))\r\nThe Final Payload (LOSTKEYS)\r\nThe end result of this is a VBS that we call LOSTKEYS. It is a piece of malware that is capable of stealing files\r\nfrom a hard-coded list of extensions and directories, along with sending system information and running processes\r\nto the attacker. The typical behavior of COLDRIVER is to steal credentials and then use them to steal emails and\r\ncontacts from the target, but as we have previously documented they will also deploy malware called SPICA to\r\nselect targets if they want to access documents on the target system. LOSTKEYS is designed to achieve a similar\r\ngoal and is only deployed in highly selective cases.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 3 of 7\n\nA Link To December 2023\r\nAs part of the investigation into this activity, we discovered two additional samples, hashes of which are available\r\nin the Indicators of Compromise section, dating back as early as December 2023. In each case, the samples end up\r\nexecuting LOSTKEYS but are distinctly different from the execution chain mentioned here in that they are\r\nPortable Executable (PE) files pretending to be related to the software package Maltego.\r\nIt is currently unclear if these samples from December 2023 are related to COLDRIVER, or if the malware was\r\nrepurposed from a different developer or operation into the activity seen starting in January 2025.\r\nProtecting the Community\r\nAs part of our efforts to combat threat actors, we use the results of our research to improve the safety and security\r\nof Google’s products. Upon discovery, all identified malicious websites, domains and files are added to Safe\r\nBrowsing to protect users from further exploitation. We also send targeted Gmail and Workspace users\r\ngovernment-backed attacker alerts notifying them of the activity and encouraging potential targets to enable\r\nEnhanced Safe Browsing for Chrome and ensure that all devices are updated.\r\nWe are committed to sharing our findings with the security community to raise awareness and with companies and\r\nindividuals that might have been targeted by these activities. We hope that improved understanding of tactics and\r\ntechniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 4 of 7\n\nIndicators of compromise (IOCs) and YARA rules are included in this post, and are also available as a GTI\r\ncollection and rule pack. \r\nYARA Rules\r\nrule LOSTKEYS__Strings {\r\n meta:\r\n author = \"Google Threat Intelligence\"\r\n description = \"wscript that steals documents and becaons system\r\ninformation out to a hardcoded address\"\r\n hash = \"28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9\"\r\n strings:\r\n $rep0 = \"my_str = replace(my_str,a1,\\\"!\\\" )\"\r\n $rep1 = \"my_str = replace(my_str,b1 ,a1 )\"\r\n $rep2 = \"my_str = replace(my_str,\\\"!\\\" ,b1 )\"\r\n $mid0 = \"a1 = Mid(ch_a,ina+1,1)\"\r\n $mid1 = \"b1 = Mid(ch_b,ina+1,1)\"\r\n $req0 = \"ReqStr = base64encode( z \u0026 \\\";\\\" \u0026\r\nws.ExpandEnvironmentStrings(\\\"%COMPUTERNAME%\\\") \u0026 \\\";\\\" \u0026\r\nws.ExpandEnvironmentStrings(\\\"%USERNAME%\\\") \u0026 \\\";\\\" \u0026\r\nfso.GetDrive(\\\"C:\\\\\\\").SerialNumber)\"\r\n $req1 = \"ReqStr = Chain(ReqStr,\\\"=+/\\\",\\\",-_\\\")\"\r\n $cap0 = \"CapIN \\\"systeminfo \u003e \\\"\\\"\\\" \u0026 TmpF \u0026 \\\"\\\"\\\"\\\", 1, True\"\r\n $cap1 = \"CapIN \\\"ipconfig /all \u003e\u003e \\\"\\\"\\\" \u0026 TmpF \u0026 \\\"\\\"\\\"\\\", 1, True\"\r\n $cap2 = \"CapIN \\\"net view \u003e\u003e \\\"\\\"\\\" \u0026 TmpF \u0026 \\\"\\\"\\\"\\\", 1, True\"\r\n $cap3 = \"CapIN \\\"tasklist \u003e\u003e \\\"\\\"\\\" \u0026 TmpF \u0026 \\\"\\\"\\\"\\\", 1, True\"\r\n condition:\r\n all of ($rep*) or all of ($mid*) or all of ($req*) or all of ($cap*)\r\n}\r\nIndicators of Compromise\r\nNotes IOC\r\nStage 1 - Fake CAPTCHA page,\r\nloads PowerShell to clipboard\r\n13f7599c94b9d4b028ce02397717a1282a46f07b9d3e2f8f2b3213fa8884b029\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 5 of 7\n\nStage 2: Device evasion and\r\nstage 3 loader\r\n4c7accba35edd646584bb5a40ab78f963de45e5fc816e62022cd7ab1b01dae9c\r\nStage 3: Retrieve and decode\r\nfinal payload, contains key\r\n“Ah90pE3b”\r\n6b85d707c23d68f9518e757cc97adb20adc8accb33d0d68faf1d8d56d7840816\r\nDecoder script, contains key\r\n“4z7Klx1V”\r\n3233668d2e4a80b17e6357177b53539df659e55e06ba49777d0d5171f27565dd\r\nFinal payload, encoded 6bc411d562456079a8f1e38f3473c33ade73b08c7518861699e9863540b64f9a\r\nFinal payload, decoded 28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9\r\nC2 165.227.148[.]68\r\nC2 cloudmediaportal[.]com\r\nBinary that executes\r\nLOSTKEYS from December\r\n2023\r\nb55cdce773bc77ee46b503dbd9430828cc0f518b94289fbfa70b5fbb02ab1847\r\nBinary that executes\r\nLOSTKEYS from December\r\n2023\r\n02ce477a07681ee1671c7164c9cc847b01c2e1cd50e709f7e861eaab89c69b6f\r\nLOSTKEYS from December\r\n2023\r\n8af28bb7e8e2f663d4b797bf3ddbee7f0a33f637a33df9b31fbb4c1ce71b2fee\r\nC2 from December 2023 njala.dev\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 6 of 7\n\nC2 from December 2023 80.66.88[.]67\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "report_names": [ "coldriver-steal-documents-western-targets-ngos" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434809, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8bb807b5b8dbc34a151daa220f3620aa74abc8e.pdf", "text": "https://archive.orkl.eu/d8bb807b5b8dbc34a151daa220f3620aa74abc8e.txt", "img": "https://archive.orkl.eu/d8bb807b5b8dbc34a151daa220f3620aa74abc8e.jpg" } }