Google Uncovers New Malware ‘LOSTKEYS’ Linked to Russian Hacking Group Cold River
Google’s cybersecurity team has identified a sophisticated new malware strain dubbed ‘LOSTKEYS,’ which they attribute to the Russian-based hacking group Cold River. This discovery represents a significant evolution in Cold River’s arsenal and highlights the group’s ongoing efforts to gather intelligence in support of Russian strategic interests.
According to Wesley Shields, a researcher with Google’s Threat Intelligence Group, the LOSTKEYS malware is designed to exfiltrate files and transmit detailed system information to attackers. This capability significantly expands Cold River’s operational toolkit, enabling them to not only steal login credentials but also to gain deeper access to compromised systems and extract valuable data.
Cold River, also known by other security researchers by other names, has been previously linked to Russia’s Federal Security Service (FSB). The group has a history of targeting high-profile individuals and organizations, primarily focusing on obtaining login credentials to access sensitive information. Their targets typically include NATO governments, non-governmental organizations, and former intelligence and diplomatic officers. The primary objective of these operations appears to be the collection of intelligence that could benefit Russian strategic objectives.
The identification of LOSTKEYS as a tool used by Cold River signifies an escalation in the group’s technical capabilities and their willingness to employ more advanced methods to achieve their goals. The malware’s ability to steal files and send system information provides attackers with a comprehensive understanding of compromised systems, enabling them to identify and extract valuable data, escalate their privileges, and potentially maintain long-term access to targeted networks.
Recent activity attributed to Cold River, observed in January, March, and April 2025, reveals a persistent focus on individuals connected to Western governments, militaries, and organizations involved in matters related to Ukraine. Targets have included current and former advisors to Western governments and militaries, journalists, think tanks, NGOs, and unnamed individuals linked to Ukraine. This targeted approach suggests that Cold River is actively seeking information related to Western policy, military strategy, and activities in the region.
The use of sophisticated malware like LOSTKEYS demonstrates Cold River’s commitment to continuous development and adaptation in the face of evolving cybersecurity defenses. By expanding their toolkit with new and advanced capabilities, Cold River seeks to remain ahead of security measures and maintain their ability to effectively target and compromise high-value targets.
The Russian embassy in Washington has not yet responded to requests for comment regarding the allegations of Cold River’s involvement in these activities.
Cold River has been linked to several high-profile cyberattacks in the past. In the summer of 2022, the group was reportedly involved in targeting three nuclear research laboratories in the United States. This attack raised concerns about the potential for the theft of sensitive information related to nuclear research and technology.
In May 2022, Cold River was implicated in the publishing of private emails belonging to former British spymaster Richard Dearlove and other pro-Brexit individuals. This operation aimed to discredit and undermine individuals associated with opposing viewpoints to Russian interests, leveraging stolen information to influence public opinion and sow discord.
The discovery of LOSTKEYS and Cold River’s ongoing activities serve as a stark reminder of the persistent threat posed by state-sponsored hacking groups. These groups possess the resources, expertise, and motivation to conduct sophisticated cyberattacks aimed at gathering intelligence, disrupting operations, and undermining national security.
The increasing sophistication of malware and the ever-evolving tactics employed by state-sponsored actors underscores the need for robust cybersecurity measures. Organizations and individuals must prioritize security best practices, including implementing strong passwords, enabling multi-factor authentication, regularly patching software vulnerabilities, and employing advanced threat detection and response solutions.
In addition, international cooperation and information sharing are crucial to effectively combatting state-sponsored cyberattacks. By sharing threat intelligence and collaborating on cybersecurity initiatives, governments and organizations can enhance their ability to detect, prevent, and respond to malicious activities.
The identification of LOSTKEYS and the ongoing threat posed by Cold River highlight the importance of vigilance and continuous improvement in cybersecurity practices. As state-sponsored actors continue to develop and deploy more advanced tools and techniques, organizations and individuals must remain proactive in their efforts to protect themselves from cyberattacks.
The revelation of the LOSTKEYS malware emphasizes the critical need for organizations to invest in proactive threat hunting capabilities. Analyzing network traffic, system logs, and other data sources can help identify potential indicators of compromise and detect malicious activity before it can cause significant damage.
Furthermore, education and awareness programs are essential to empowering individuals and organizations to recognize and avoid phishing attempts, social engineering attacks, and other tactics used by cybercriminals. By raising awareness of cybersecurity threats and promoting best practices, organizations can create a culture of security that helps prevent attacks and mitigate the impact of successful breaches.
The discovery of LOSTKEYS malware by Google’s Threat Intelligence Group serves as a wake-up call for organizations to reassess their cybersecurity posture and prioritize efforts to protect themselves from state-sponsored cyberattacks. By implementing robust security measures, investing in advanced threat detection and response capabilities, and fostering a culture of security awareness, organizations can significantly reduce their risk of becoming a victim of sophisticated cyberattacks.
