Skip to content

Google Uncovers New ‘LOSTKEYS’ Malware Linked to Cold River Hackers – How White Cloud Security Stops It

A New Cyber Threat Surfaces

In a recent security bulletin, Google's Threat Analysis Group (TAG) disclosed the discovery of a new malware strain dubbed "LOSTKEYS", which has been attributed to the Cold River hacking group—a Russia-based advanced persistent threat (APT) actor known for cyber-espionage and targeted phishing campaigns. This group has previously been linked to attacks on NATO countries, defense contractors, and nuclear researchers.

According to Google TAG's findings, the LOSTKEYS malware exhibits sophisticated evasion techniques, including DLL sideloading, encrypted payloads, and timed execution triggers. Its primary purpose is believed to be credential theft and remote access to high-value systems, with recent campaigns targeting Western diplomatic entities and critical infrastructure organizations.

"Cold River continues to evolve its capabilities, and LOSTKEYS represents a significant step forward in stealth and persistence," said Shane Huntley, head of Google's Threat Analysis Group.

Technical Details of LOSTKEYS

  • Delivery Method: Spear-phishing emails with malicious links or file attachments.
  • Execution: Uses living-off-the-land binaries (LOLBins) to avoid detection.
  • Persistence: Establishes hidden registry keys and schedules tasks under legitimate system services.
  • C2 Communication: Encrypted traffic routed through compromised infrastructure.
  • Payload Objective: Exfiltration of credentials, SSH keys, and surveillance of system activity.

Google has released updated IOCs (Indicators of Compromise) and YARA rules for defenders to track and mitigate the malware's spread. 1

How White Cloud Security Stops LOSTKEYS and Similar Threats

White Cloud Security Trust Lockdown takes a fundamentally different approach to endpoint protection. Rather than trying to detect and react to ever-evolving malware signatures, Trust Lockdown enforces a Zero-Trust Application Control model that only allows pre-authorized programs to run. Here’s how LOSTKEYS would be neutralized:

🔐 Trust Lockdown Prevents Execution

LOSTKEYS attempts to execute through unauthorized DLLs and system processes. Trust Lockdown blocks these at the kernel level because:

  • The malware’s payload is not part of the approved software inventory.
  • Even if it masquerades as a system file, its Handprint or Code-Signing Certificate won't match approved policy settings.

🛡️ Monitor Mode Alerts on Suspicious Behavior

If Trust Lockdown is in Monitor Mode during the initial phase of an attack, it:

  • Logs unauthorized executions (e.g., abnormal PowerShell behavior or new registry writes).
  • Sends real-time alerts to the SOC team for review, providing a full audit trail of the attack chain.

🚫 Block Mode Halts Malware at First Contact

Once policies are enforced in Blocking Mode, LOSTKEYS cannot even begin to execute. The attack is stopped on the first software download, preventing any chance of system compromise.

🧠 Immunity to Fileless and Living-Off-the-Land Attacks

Unlike signature-based antivirus, White Cloud Security does not rely on matching known malware. It inherently blocks fileless attacks like LOLBins and command-line obfuscation used by LOSTKEYS, because unauthorized execution is never permitted.

Why This Matters

With threats like LOSTKEYS becoming more advanced and stealthy, traditional antivirus and EDR solutions can lag behind. Cold River and similar APT groups are increasingly using polymorphic malware and zero-day exploits to bypass detection.

White Cloud Security's model does not depend on detecting malware, but rather prevents unapproved software from running, making it highly effective even against a brand-new, undetected malware strain.

As Cold River continues to target high-value organizations globally, adopting a Zero-Trust Endpoint Protection framework like White Cloud Security's Trust Lockdown is an essential cybersecurity solution for operational resilience and data protection.

References

  1. Google Threat Analysis Group. “Cold River: Persistent Threat Activity from Russia-aligned Actors”. April 2025. Google TAG Blog 

  2. The Record. “Google Links LOSTKEYS Malware to Russian Group Cold River”. May 2025. The Record 

  3. MITRE ATT&CK. “Tactics and Techniques Used by Cold River”. MITRE ATT&CK Framework 

  4. White Cloud Security. “Trust Lockdown Technology Overview”. whitecloudsecurity.com