Google Warns of Sophisticated New Malware LOSTKEYS Used by Russian-Linked Threat Actor
Google's Threat Intelligence Group has discovered a new, sophisticated malware called LOSTKEYS. It has been used in targeted attacks by COLDRIVER, a threat actor linked to the Russian government, in early 2025.
LOSTKEYS is delivered through a complex, three-stage infection process. It begins with a fake CAPTCHA, followed by virtual machine evasion, and concludes with a two-key substitution cipher. Each infection chain is customized with unique identifiers and encryption keys. The malware is capable of stealing files and system data.
LOSTKEYS has been active since December 2023, using different infection methods in earlier versions. Google's GTIG urges at-risk users to enroll in Google's Advanced Protection Program and enable Enhanced Safe Browsing in Chrome to protect against such threats.
Attacks using LOSTKEYS were observed in January, March, and April 2025. While specific targets and details remain unclear, COLDRIVER's use of LOSTKEYS indicates a shift towards more advanced malware tools, having previously focused on credential phishing.
LOSTKEYS, a new and highly advanced malware, has been identified by Google's Threat Intelligence Group. Its use by COLDRIVER in targeted attacks underscores the evolving threat landscape. Users are advised to enhance their security measures to protect against such sophisticated cyber threats.
