Google has uncovered a new strain of malware, dubbed “LOSTKEYS”, believed to be the work of Cold River, a Russian-aligned hacking group reportedly connected to the country’s Federal Security Service (FSB), reported Reuters.
According to a blog post published on Wednesday by Google’s Threat Intelligence Group (GTIG), the newly identified malware represents a significant advancement in Cold River’s cyber capabilities. LOSTKEYS is designed to steal files and transmit system data back to its operators, expanding the group’s known toolkit for espionage.
Wesley Shields, a researcher at GTIG, stated that the malware signals “a new development in the toolset” used by the group, which has a history of targeting sensitive political and strategic entities.
All about the Cold River group
Cold River, also known under various aliases, has been linked to previous cyber operations aimed at high-profile Western individuals and institutions. The group’s primary mission, experts say, is the collection of intelligence that furthers Russian geopolitical interests.
Recent surveillance by Google’s researchers shows that, between January and April 2025, Cold River targeted advisers—both current and former—to Western governments and military institutions. Other victims reportedly included journalists, international think tanks, non-governmental organisations, and individuals associated with Ukraine.
The Russian embassy in Washington has yet to respond to requests for comment on the allegations.
Cold River has previously drawn attention for its audacious operations. In mid-2022, the group was accused of targeting three nuclear research facilities in the United States. Later that year, it was implicated in the leaking of private emails belonging to former British intelligence chief Sir Richard Dearlove, alongside other individuals associated with pro-Brexit activities.
Cybersecurity analysts warn that the emergence of LOSTKEYS underscores a broader escalation in cyber espionage tactics being employed by state-linked actors. Google has urged targeted organisations and individuals to remain vigilant and adopt updated security measures to mitigate potential risks.
(With inputs from Reuters)
