Google: LOSTKEYS Malware Escalates Russian Cyber Threat

Google's Threat Intelligence Group has identified a new malware strain, LOSTKEYS, deployed by the Russian state-backed hacking group Cold River—also known as Star Blizzard, Callisto, and Seaborgium—which is linked to Russia's FSB. Since early 2025, LOSTKEYS has been used in targeted espionage campaigns against Western governments, advisers, journalists, NGOs, think tanks, and individuals associated with Ukraine. The malware is delivered via the ClickFix social engineering technique, tricking users into running malicious PowerShell scripts that enable attackers to steal files, system information, and credentials. These campaigns represent an escalation in Cold River's operations, moving from credential theft to direct data exfiltration for Russian intelligence. Past Cold River targets include NATO governments and U.S. nuclear research labs. Google recommends heightened vigilance and least-privilege policies to counter these threats.