New LOSTKEYS Malware Tied to Russian State-Sponsored Hacker Group COLDRIVER

Russian state-sponsored threat actor COLDRIVER, long known for targeting high-profile NGOs, policy advisors, and dissidents, has been linked to a rapidly evolving malware campaign following the public disclosure of its LOSTKEYS malware in May 2025.

After details of LOSTKEYS surfaced, COLDRIVER (also tracked as UNC4057, Star Blizzard, and Callisto) pivoted away from the compromised malware.

GTIG researchers have not observed a single instance of LOSTKEYS post-disclosure—a testament to the group’s agility.

Within just five days of this exposure, COLDRIVER operationalized new malware families, shifting tactics and tools at an unprecedented pace, according to recent reported from GTIG and supporting analysis from Zscaler.

Instead, COLDRIVER began deploying a diverse toolset, featuring interconnected malware families that have already undergone several development iterations.

This relentless pace highlights the group’s dedication to maintaining access to target environments and evading defensive measures.

At the center of this re-tooled arsenal ...