A known Russian cybercrime outfit has armed itself with a new malware suite that allows for the theft of user accounts and credentials, posing a substantial threat to organizations in the West.The group known as “ColdRiver” has been spotted in the wild using a previously unknown piece of data-stealing malware designated as “LostKeys.” According to the Google Threat Intelligence Group (GTIG) the malware is able to covertly swipe credentials for specific services from target machines.The Google researchers said the malware poses a direct threat to organizations in the West as ColdRiver primarily U.S. and Europe-based targets in the government, non-government organizations, and media sectors for data-harvesting and monitoring operations.“LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” wrote GTIG researcher Wesley Shields.“Observed in January, March, and April 2025, LOSTKEYS marks a new development in the toolset of COLDRIVER, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers.”Shields noted that LostKeys malware appears to be passive in nature, harvesting information from the target PC and then uploading the collected data to a remote server for later access. However, the researchers have noted instances where the attacks aim to directly connect with infected machines via a backdoor connection.This is not the first time the ColdRiver group has appeared on the radar of security researchers. The group, which goes by a number of aliases, including “StarBlizzard,” “Callisto” and “BlueCharlie,” has been active since at least 2013.While it is believed that the ColdRiver hackers operate as an independent group outside of direct government employment, the crew’s targets and interest often align with those of the Kremlin, suggesting that the hackers are at least operating under the guidance and influence of the Russian government and its intelligence agencies.Such activity has become a growing trend in the threat landscape, as governments have increasingly hidden their state-sponsored hacking campaigns behind the guise of independent groups and hacktivist operations. Russia in particular has been accused of hiding its activities behind supposedly unaffiliated hacking brands.“Recent targets in COLDRIVER’s campaigns have included current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs,” Shields explained. “The group has also continued targeting individuals connected to Ukraine. We believe the primary goal of COLDRIVER’s operations is intelligence collection in support of Russia’s strategic interests.”