In a major cyber intelligence disclosure, Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated new malware strain dubbed “LOSTKEYS”, believed to be deployed by the Cold River hacking group—a Russia-aligned entity allegedly connected to the country’s powerful intelligence agency, the Federal Security Service (FSB).
Revealed in a blog post published Wednesday and first reported by Reuters, the malware reflects a sharp escalation in the group’s espionage toolkit. Designed to steal files and exfiltrate system data, LOSTKEYS is seen as a new chapter in Cold River’s long-standing campaign to collect strategic intelligence and undermine geopolitical adversaries.
Cold River: A Shadowy Group With Strategic Targets
The Cold River group, also known by multiple aliases, has a documented history of targeting Western political, military, and research institutions. According to cybersecurity experts, the group’s primary goal is to further Russian state interests through information warfare and digital espionage.
Between January and April 2025, Google researchers documented a campaign in which Cold River targeted a broad array of individuals and organizations, including:
-
Advisors (both current and former) to Western governments and militaries
-
Journalists and media personnel
-
International think tanks
-
NGOs and human rights groups
-
Ukrainian-affiliated individuals and institutions
The targeting of such entities underscores the group’s focus on intelligence gathering, psychological operations, and foreign policy manipulation.
Cold River first came into prominence in 2022, when it was linked to cyberattacks against U.S. nuclear research laboratories and the leaking of private emails from former British intelligence chief Sir Richard Dearlove and others associated with pro-Brexit campaigns.
LOSTKEYS: A Malware Built for Covert Surveillance
According to Wesley Shields, a researcher with GTIG, the LOSTKEYS malware marks a notable enhancement in Cold River’s cyber capabilities. Unlike earlier tools, which primarily relied on phishing and credential theft, LOSTKEYS is a multi-stage malware that focuses on:
-
Harvesting sensitive documents from infected devices
-
Collecting system-level data for profiling targets
-
Establishing covert communication channels to remote servers
“This is a new development in their toolset,” said Shields. “It indicates not just evolution but active investment in expanding the group’s capacity for espionage.”
Security researchers believe LOSTKEYS is being used in targeted spear-phishing campaigns, where deceptive emails trick recipients into executing malicious attachments or links. Once installed, the malware operates silently in the background, compromising the victim’s data and privacy.
Geopolitical Implications and Defensive Measures
The emergence of LOSTKEYS comes at a time of heightened cyber tension between Western nations and Russia, particularly amid ongoing global conflicts and shifting diplomatic alignments. Analysts view the malware as part of a wider strategy by state-aligned threat actors to destabilize or gain insight into foreign policymaking, defense strategy, and civil society.
The Russian embassy in Washington D.C. has not yet issued a statement in response to the allegations raised in the report.
Google has called on potential target groups to tighten cybersecurity protocols, regularly update systems, and deploy advanced threat detection tools. It also advised organizations handling sensitive geopolitical or defense-related information to train personnel against phishing tactics and monitor for suspicious activity. Cybersecurity experts believe the discovery of LOSTKEYS reflects not just a technical shift in espionage tools, but a broader operational doctrine where cyberwarfare is increasingly blurred with intelligence gathering and influence operations.
As tensions grow in the digital domain, the evolving playbook of groups like Cold River will remain a focus for international security agencies and cyber defense teams alike.