First reported by Reuters and detailed in a blog post on Wednesday, LOSTKEYS represents a notable evolution in Cold River’s cyber arsenal, enabling the theft of files and system data in its continued campaign against geopolitical rivals.
The Cold River Group: Operating in the Shadows, Striking Strategic Assets
Cybersecurity professionals say Cold River, an elusive hacking group with multiple aliases, is focused on undermining Western governments and institutions in pursuit of Russia’s strategic objectives.
Between January and April 2025, Cold River carried out a wide-ranging cyber campaign—documented by Google—that focused on advisors to Western governments, members of the press, global policy think tanks, NGOs, and Ukrainian-related targets.
Cold River first drew widespread scrutiny in 2022, when it was linked to breaches at U.S. nuclear research institutions and a leak of sensitive emails from prominent British figures tied to Brexit.
LOSTKEYS: A Stealthy Cyber Tool Designed for Espionage
GTIG researcher Wesley Shields says LOSTKEYS reflects a significant evolution in Cold River’s digital toolkit. Unlike its simpler predecessors, LOSTKEYS uses a layered approach to:
- Harvest sensitive files from infected machines
- Collect technical data for profiling victims
- Establish hidden links to external servers for ongoing access
With LOSTKEYS raising red flags, Google advises potential targets to harden defenses through software updates, threat detection systems, and phishing awareness initiatives. Organizations dealing in defense or geopolitical intelligence are particularly at risk. According to experts, the malware illustrates how modern cyber campaigns increasingly fuse intelligence-gathering with broader influence strategies.
