Insights, news, education and announcements from PolySwarm

Star Blizzard’s LOSTKEYS Malware

Written by The Hivemind | May 19, 2025 5:20:19 PM

Verticals Targeted: NGOs, Diplomats, Government  
Regions Targeted: Western countries, Eastern Europe, Ukraine  
Related Families: Spica

Executive Summary

Star Blizzard, a Russian state-sponsored threat actor, has deployed a malware family named LOSTKEYS to steal sensitive documents and system information from NGOs, diplomats, and government officials in Western countries and Eastern Europe.

Key Takeaways

  • LOSTKEYS, a modular malware, targets sensitive documents and system data, exfiltrating them via attacker-controlled infrastructure.
  • Star Blizzard employs spear-phishing with malicious PDFs hosted on legitimate cloud platforms to deliver LOSTKEYS.
  • Targets include NGOs, diplomatic entities, and government officials, with a focus on Western countries and Eastern Europe.
  • The campaign aligns with Russia’s strategic intelligence collection objectives, leveraging encrypted payloads to evade detection.

What is LOSTKEYS?

Star Blizzard, a Russian state-sponsored threat actor group, was observed using malware to target NGOs, diplomatic entities, and government officials across Western countries and Eastern Europe. The campaign deploys LOSTKEYS, a modular malware designed to steal sensitive documents and system information, marking a significant escalation from Star Blizzard’s traditional credential phishing tactics. Google’s Threat Intelligence Group reported on this activity.

LOSTKEYS is a sophisticated, modular malware tailored for data exfiltration. Unlike Star Blizzard’s earlier reliance on phishing for credentials, LOSTKEYS focuses on harvesting sensitive files and system metadata. The malware is delivered through spear-phishing emails containing malicious PDFs hosted on legitimate cloud platforms like Google Drive or Microsoft OneDrive. These PDFs include embedded links to attacker-controlled domains, which trigger the download of an encrypted LOSTKEYS payload.

Upon execution, LOSTKEYS decrypts its payload and performs the following actions:

  • File Collection: Targets documents with extensions such as .docx, .pdf, and .xlsx, prioritizing files likely to contain sensitive information.
  • System Enumeration: Gathers system information, including hostname, username, and network configuration.
  • Data Exfiltration: Encrypts stolen data and transmits it to attacker-controlled servers via HTTPS, ensuring stealthy communication.

The malware’s modular design allows Star Blizzard to customize its functionality based on the target, enhancing its adaptability. LOSTKEYS employs encrypted payloads and legitimate cloud infrastructure to evade detection, complicating traditional signature-based defenses. Its integration with Star Blizzard’s infrastructure suggests a well-resourced operation, likely supported by Russian intelligence objectives. The group’s history of targeting NGOs, think tanks, journalists, and government officials aligns with LOSTKEYS’ victimology. The campaign’s focus on Western countries, Eastern Europe, and Ukraine-based entities reflects Russia’s strategic interest in intelligence collection. Spear-phishing remains Star Blizzard’s primary delivery vector, leveraging social engineering to exploit trusted cloud platforms. The use of newly created Gmail accounts for phishing emails, as observed in prior campaigns, continues to obscure attribution and hinder tracking.

LOSTKEYS represents a tactical evolution for Star Blizzard, shifting from credential theft to direct data exfiltration. Its focus on NGOs and diplomatic entities underscores the group’s intent to gather intelligence on policy, defense, and humanitarian activities. The targeting of Eastern European countries and Ukraine aligns with Russia’s geopolitical priorities, particularly in the context of ongoing regional tensions. 

The campaign highlights the need for robust email security and user awareness training. The reliance on spear-phishing underscores the human element as a critical attack vector. The use of legitimate cloud platforms for malware delivery complicates trust in widely used services, necessitating enhanced scrutiny of cloud-hosted content. Star Blizzard’s deployment of LOSTKEYS marks a significant escalation in its cyberespionage capabilities, targeting sensitive data from NGOs, diplomats, and government officials in Western countries and Eastern Europe. By leveraging legitimate cloud platforms and encrypted payloads, the group enhances its ability to evade detection while advancing Russia’s strategic intelligence goals. 

Who is Star Blizzard?

Star Blizzard, also known as SEABORGIUM, Callisto Group, TA446, COLDRIVER, BlueCharlie, and UNC4057, is a Russian cyber espionage group active since at least 2017. The group is thought to be associated with the Russian Federal Security Service (FSB) Centre 18, indicating strong ties to Russian intelligence. Star Blizzard employs sophisticated spear-phishing campaigns to target sensitive information, primarily focusing on credential theft and data exfiltration. 

The group conducts extensive open-source reconnaissance, leveraging social media and professional networking platforms to craft convincing lures, such as fake event invitations or impersonated contacts. They use tools like EvilGinx to bypass multifactor authentication and establish mail-forwarding rules for persistent email access. Additionally, Star Blizzard hosts phishing lures on legitimate cloud platforms like Google Drive and Proton Drive, often using password-protected PDFs to evade detection.

Star Blizzard targets academia, defense, government organizations, NGOs, think tanks, journalists, and the energy sector, with a pronounced focus on NATO countries, particularly the US and UK, as well as Ukraine and Eastern Europe. Their operations align with Russian state interests, including intelligence gathering on defense, international relations, and Ukraine-related activities. Since 2022, Star Blizzard has adapted tactics to enhance evasion, demonstrating resilience despite domain seizures by Microsoft and the US Department of Justice.

IOCs

PolySwarm has multiple samples associated with this activity.

 

3233668d2e4a80b17e6357177b53539df659e55e06ba49777d0d5171f27565dd

13f7599c94b9d4b028ce02397717a1282a46f07b9d3e2f8f2b3213fa8884b029

4c7accba35edd646584bb5a40ab78f963de45e5fc816e62022cd7ab1b01dae9c

6b85d707c23d68f9518e757cc97adb20adc8accb33d0d68faf1d8d56d7840816

6bc411d562456079a8f1e38f3473c33ade73b08c7518861699e9863540b64f9a

28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9

 

You can use the following CLI command to search for all LOSTKEYS samples in our portal:

$ polyswarm link list -f LOSTKEYS

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post