COLDRIVER Deploys LOSTKEYS Malware in Targeted Espionage Campaign Using ClickFix
COLDRIVER, a Russian state-aligned threat group also tracked as Callisto and Star Blizzard, has shifted tactics by deploying a new custom malware called LOSTKEYS. This marks a notable evolution from their typical credential phishing operations to direct device compromise in highly targeted espionage campaigns. The group has been observed using LOSTKEYS in attacks throughout early 2025 against individuals connected to Western governments, military circles, NGOs, and Ukraine. The infection chain begins with a decoy site showing a fake CAPTCHA that prompts the victim to run a PowerShell command copied to their clipboard—a social engineering trick known as ClickFix. Once executed, this command contacts a remote server, performs anti-analysis checks, and delivers a third-stage PowerShell script. This final stage installs LOSTKEYS, which is designed to collect system details, active processes, and specific files from hard-coded directories and file types. We’ve previously reported on multiple threat actors adopting ClickFix with varying delivery methods, and this campaign demonstrates how COLDRIVER is now leveraging that same approach to push custom malware. LOSTKEYS appears to be carefully deployed, reinforcing that these attacks are meant for strategic intelligence gathering rather than broad-based disruption. Google researchers noted that LOSTKEYS was also disguised in older samples, impersonating tools like Maltego, suggesting early experimentation before its formal rollout in January 2025. These samples may represent initial testing phases or repurposing efforts, although attribution to COLDRIVER remains strongest with the more recent activity. With LOSTKEYS following the earlier SPICA malware, COLDRIVER is expanding its toolkit to include more persistent and system-level access techniques, signaling a more aggressive phase in its cyber operations.
LockBit Ransomware Group Hit by Devastating Breach, Operational Secrets Exposed
LockBit, once a dominant force in the global ransomware landscape, has suffered a major breach of its infrastructure, resulting in the defacement of its dark web sites and the public leak of its internal MySQL database. On May 7, visitors to LockBit's admin panels were met with a mocking message—“Don’t do crime CRIME IS BAD xoxo from Prague”—and a link to download a file titled “paneldb_dump[.]zip.” The dump, generated around April 29, contains twenty database tables exposing operational data from the group’s affiliate panel. Among the most revealing content are 59,975 unique Bitcoin wallet addresses linked to ransom payments, 4,442 negotiation chat logs, ransomware builds configured for specific targets, and a full user table listing 75 LockBit affiliates and administrators with passwords stored in plaintext. This includes crude password examples, highlighting the group’s failure to follow basic security hygiene despite its business in breaching others. The incident lays bare LockBit’s internal workings at a level of detail that security researchers call invaluable. It reveals the structure of their ransomware deployment and builds customization strategies for victims, including decisions to skip ESXi servers and potentially traceable payment infrastructure. LockBit has attempted to minimize the damage, claiming that no decryption keys or stolen victim data were compromised, though that does little to offset the reputational collapse among its affiliates. The breach follows the February 2024 Operation Cronos takedown, which had already disrupted 34 of the group’s servers. We’ve also reported previously on various techniques used by threat actors to manipulate dark web infrastructure; this breach confirms that LockBit is not immune to the same exploitation tactics. Whether this is the group’s death blow remains to be seen, but trust in their ability to maintain operational secrecy has been thoroughly shattered.
CoGUI Phishing Kit Sends Over Half a Billion Emails in Massive Credential Theft Campaign
A newly uncovered phishing kit known as CoGUI has been linked to more than 580 million phishing emails sent between January and April 2025, making it one of the most aggressive and high-volume credential theft operations currently circulating. Discovered by Proofpoint researchers, CoGUI impersonates major brands including Amazon, Apple, PayPal, Rakuten, tax agencies, and banks to trick users into revealing login credentials and payment details. January saw the peak of this activity, with 170 separate campaigns delivering over 172 million messages. While Japan remains the primary target, smaller campaigns were also aimed at users in the U.S., Canada, Australia, and New Zealand. CoGUI has been active since at least October 2024, though it came under closer scrutiny in December as the scale of its operations became apparent. Proofpoint confirmed this is the largest phishing campaign they currently track. CoGUI’s attack chain begins with an email containing an urgent message, directing users to click a link that leads to a phishing site if they meet certain pre-defined criteria. These conditions include IP location, device type, browser language, and other system details. If a target doesn't match the requirements, they are redirected to the legitimate website of the impersonated brand, likely to avoid raising red flags. Valid targets, however, are funneled into fake login pages that mimic real sites with high visual accuracy. The infrastructure appears to serve multiple threat actors, predominantly China-based and primarily targeting Japanese users, though researchers warn that broader global targeting is only a matter of time. While the kit shares some surface-level similarities with Darcula, Proofpoint determined CoGUI is a separate tool, albeit used by similar actor profiles. Given the scale and precision of this operation, the kit's potential for global expansion poses a serious risk to user security across multiple sectors.
