COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Google Threat Intelligence Group (GTIG) reports that the Russian government‑linked APT COLDRIVER (aka UNC4057/Star Blizzard) deployed a new infostealer named LOSTKEYS in 2025; LOSTKEYS exfiltrates files from specified directories and extensions, collects system information and running processes, and is delivered via a multi-step lure involving a fake CAPTCHA that triggers PowerShell execution—targets include high‑profile individuals, NGOs, journalists, and persons connected to Ukraine, consistent with intelligence‑collection objectives.