

Cyber Threat Alert: Immediate Action Required on Existing APT Threat Indicators – Active IOCs
May 8, 2025
Cyber Threat Alert: Immediate Action Required on Existing APT Threat Indicators – Active IOCs
May 8, 2025Severity
High
Analysis Summary
Russia-linked threat actor COLDRIVER, also known as Callisto, Star Blizzard, and UNC4057, has been observed deploying a new malware dubbed LOSTKEYS as part of a highly targeted espionage campaign. Traditionally known for credential phishing, COLDRIVER has expanded its toolkit, with LOSTKEYS being its second known custom malware after SPICA.
LOSTKEYS is designed to steal files from specified directories and extensions, gather system information, and list running processes. According to researchers, the malware has been deployed in attacks between January and April 2025, primarily targeting current and former advisors to Western governments, journalists, think tanks, NGOs, and individuals connected to Ukraine.
The campaign uses ClickFix, a social engineering technique where victims are tricked into pasting PowerShell commands into the Windows Run dialog via fake CAPTCHA pages. These commands fetch additional payloads from remote servers and eventually decode and execute LOSTKEYS on the host system.

Researchers also discovered earlier LOSTKEYS variants masquerading as Maltego binaries from December 2023, though connections to COLDRIVER remain unconfirmed.
The broader adoption of ClickFix has been noted, with other malware families like Lampion and Atomic Stealer using similar lures. Lampion targets Portuguese-speaking users through phishing emails with ZIP attachments and multi-stage infection chains, complicating detection.

Atomic Stealer uses a combined strategy of ClickFix and EtherHiding, hiding payloads within Binance Smart Chain (BSC) contracts and leveraging clipboard tricks to infect macOS users.
A large-scale campaign, MacReaper, has compromised roughly 2,800 websites to serve fake CAPTCHA prompts, using obfuscated JavaScript and blockchain-based infrastructure to avoid detection.
These developments reflect a growing trend of sophisticated social engineering combined with stealthy malware delivery and highlight the need for increased user awareness and strong endpoint protection.
Impact
- Credential Theft
- Data Exfiltration
- Cyber Espionage
- Unauthorized Access
Indicators of Compromise
Domain Name
cloudmediaportal.com
njala.dev
IP
165.227.148.68
80.66.88.67
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement application allow listing to prevent unauthorized script execution.
- Disable PowerShell for non-administrative users or restrict its usage through logging and policy controls.
- Educate users to avoid executing unknown scripts or commands from websites, especially prompts like Run dialog instructions.
- Deploy advanced email filtering solutions to detect and block phishing attachments and links.
- Regularly update and patch operating systems and software to fix known vulnerabilities.
- Monitor clipboard activity and block suspicious clipboard-based execution patterns.
- Use behavioral-based endpoint protection solutions to detect multi-stage and obfuscated malware.
- Segment networks and apply least privilege access to limit lateral movement.
- Conduct regular threat hunting for indicators of compromise (IOCs) associated with known APT groups.
- Enforce multi-factor authentication across all user accounts to prevent unauthorized access.
- Monitor DNS and network traffic for connections to known malicious IPs or domains.
- Audit access to sensitive data and enable real-time alerts for suspicious activity.
- Regularly back up critical data and verify the integrity of backups.
- Block access to known compromised websites or those hosting malicious CAPTCHA-style lures.
- Collaborate with threat intelligence platforms to stay informed about emerging tactics and malware trends.