Since the start of the year, the Russian state-backed ColdRiver hacking group has been using new LostKeys malware to steal files in espionage attacks targeting Western governments, journalists, think tanks, and non-governmental organizations.

In December, the United Kingdom and Five Eyes allies linked ColdRiver to Russia’s Federal Security Service (FSB), the country’s counterintelligence and internal security service.

Google Threat Intelligence Group (GTIG) first observed LostKeys being “deployed in highly selective cases” in January as part of ClickFix social engineering attacks, where the threat actors trick targets into running malicious PowerShell scripts.