COLDRIVER Deploys LOSTKEYS to Steal Documents from Western Government Advisors

Our team at Google Threat Intelligence Group is sharing new findings on the evolving tactics of COLDRIVER. This Russian government-backed group, historically focused on credential phishing, is now deploying new malware called LOSTKEYS to exfiltrate documents from targeted systems. We’ve observed LOSTKEYS campaigns in early 2025 targeting current and former advisors to Western governments, military, journalists, and NGOs, often those connected to Ukraine. The primary goal appears to be intelligence collection.

We’re sharing this information, including technical details, IOCs, and YARA rules, to help the security community protect against these threats. We’ve added identified malicious domains and files to Safe Browsing and alerted targeted Google users. We encourage at-risk individuals to use Google’s Advanced Protection Program and enable Enhanced Safe Browsing.

Read the full report here: https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos