Google Uncovers New “LOSTKEYS” Malware Linked to Russian Hacking Group Cold River

9 May, 2025

No Comments

Newly identified malware enhances Cold River’s cyber espionage capabilities, with recent campaigns targeting Western officials, journalists, and Ukraine-linked individuals

Google announced on Wednesday the discovery of a new strain of malware, dubbed “LOSTKEYS”, which has been attributed to the Cold River hacking group—an actor previously linked to Russian state interests.

The revelation was detailed in a blog post by Google’s Threat Intelligence Group (GTIG), highlighting the evolving tactics of a threat actor known for targeting high-profile geopolitical entities.

A New Chapter in Cold River’s Toolkit

According to Wesley Shields, a security researcher at Google GTIG, LOSTKEYS represents “a new development in the toolset” of Cold River. The malware is capable of exfiltrating files and transmitting system information back to its operators, enhancing the group’s surveillance and espionage capabilities.

Cold River—also known in cybersecurity circles as Callisto Group or Seaborgium—has been previously linked to Russia’s Federal Security Service (FSB). The group is notorious for its phishing campaigns and credential theft, often aimed at extracting sensitive information from targets aligned with Western institutions and governments.

Recent Campaigns: Intelligence Gathering on Ukraine and the West

The blog notes that Cold River’s activities have persisted into 2025, with observed campaigns in January, March, and April targeting:

Current and former advisers to Western governments and militaries
Journalists
Think tanks
Non-governmental organizations (NGOs)
Unnamed individuals associated with Ukraine

These efforts appear to support Russian strategic objectives, consistent with Cold River’s historical operations.

A Track Record of High-Profile Intrusions

Cold River has been implicated in several high-stakes cyber campaigns over the past few years. In the summer of 2022, the group targeted three U.S. nuclear research laboratories, attempting to gain access to highly sensitive scientific data.

Later that year, in an operation exposed in May 2022, the group published the private email correspondence of former MI6 chief Richard Dearlove and other pro-Brexit figures. The campaign appeared to be part of a broader disinformation effort aimed at influencing public discourse in the United Kingdom.

Image: Freepik

advanced persistent threat Russia, Cold River cyberattacks, Cold River hacking group, cybersecurity news, FSB hacking group, Google cybersecurity blog, Google LOSTKEYS malware, Google malware discovery, Google Threat Intelligence Group, malware targeting Ukraine, NATO credential theft, phishing campaigns Russia, Russian cyber espionage, Russian hacking tools, state-sponsored cyber threats