{ "type": "Domain", "indicator": "cloudmediaportal.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudmediaportal.com", "alexa": "http://www.alexa.com/siteinfo/cloudmediaportal.com", "indicator": "cloudmediaportal.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4066628681, "indicator": "cloudmediaportal.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "681ba0e01c36344c7ac60892", "name": "COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs", "description": "Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving PowerShell commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against NGOs.", "modified": "2025-06-05T21:52:32.991000", "created": "2025-05-07T18:05:20.713000", "tags": [ "powershell", "clickfix", "spica", "phishing", "document theft", "credential theft", "lostkeys", "ngos" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "public": 1, "adversary": "Callisto", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense", "NGO", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 387058, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681efa85136c18a881af2661", "name": "Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information", "description": "The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO governments, NGOs, and former intelligence officers. The malware exfiltrates specific files, harvests system information, and targets individuals linked to Ukraine or Western governments. COLDRIVER's primary goal appears to be intelligence collection aligned with Russia's interests. The infection chain involves a complex multi-stage process, beginning with a fake CAPTCHA and employing various evasion tactics. Google has implemented countermeasures and recommends enhanced security measures for users.", "modified": "2025-05-12T08:06:35.863000", "created": "2025-05-10T07:04:37.198000", "tags": [ "powershell", "ngo", "intelligence collection", "lostkeys", "russian hackers", "captcha", "western governments", "multi-stage infection", "ukraine", "nato" ], "references": [ "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp" ], "public": 1, "adversary": "Callisto", "targeted_countries": [ "Russian Federation", "Ukraine", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 387056, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695ccc8544f275a44d96bd7b", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "", "modified": "2026-01-06T08:49:09.529000", "created": "2026-01-06T08:49:09.529000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": "693417b3b78f8baed9c055c0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693417b3b78f8baed9c055c0", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "In May and June 2025, the intrusion set known as Calisto, also referred to as ColdRiver or Star Blizzard, targeted the French NGO Reporters Without Borders (RSF) through a series of spear phishing attempts. This campaign aligns with Calisto's established tactics, techniques, and procedures (TTPs), primarily involving credential harvesting and potential code execution through methods like the ClickFix technique. These attacks specifically aim at entities supporting Ukraine, indicating the actor's ongoing interest in politically motivated targets.\n\nThe operation against Reporters Without Borders began in March 2025 when the NGO reported a suspicious phishing email received by one of its core members. The email originated from a ProtonMail address designed to mimic a trusted contact, soliciting a review of a non-existent document.", "modified": "2026-01-05T11:00:06.923000", "created": "2025-12-06T11:46:59.940000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681e5cadbf812411c994b448", "name": "Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information", "description": "Google has issued safety alerts to Gmail and Workspace users following a series of high-profile cyber-attack campaigns by a Russian government-backed threat actor, as Amanra reveals its latest findings.", "modified": "2025-06-08T19:03:31.556000", "created": "2025-05-09T19:51:09.004000", "tags": [ "coldriver", "lostkeys", "gtig", "payload", "december", "ngos", "captcha", "soc team", "google threat", "unc4057", "april", "ukraine" ], "references": [ "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218490a9aec83efb905594", "name": "COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs", "description": "", "modified": "2025-05-12T05:18:08.069000", "created": "2025-05-12T05:18:08.069000", "tags": [ "powershell", "clickfix", "spica", "phishing", "document theft", "credential theft", "lostkeys", "ngos" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense", "NGO", "Media" ], "TLP": "white", "cloned_from": "681ba0e01c36344c7ac60892", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "387 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681c607d87220420feaa2093", "name": "IOC - COLDRIVER Using New Malware To Steal Documents", "description": "", "modified": "2025-05-08T07:42:53.206000", "created": "2025-05-08T07:42:53.206000", "tags": [ "powershell", "clickfix", "spica", "phishing", "document theft", "credential theft", "lostkeys", "ngos" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense", "NGO", "Media" ], "TLP": "white", "cloned_from": "681ba0e01c36344c7ac60892", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "391 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/", "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp/", "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos", "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp" ], "related": { "alienvault": { "adversary": [ "Callisto" ], "malware_families": [ "Lostkeys" ], "industries": [ "Government", "Media", "Ngo", "Defense" ] }, "other": { "adversary": [ "COLDRIVER" ], "malware_families": [ "Lostkeys", "Calisto" ], "industries": [ "Government", "Media", "Defense", "Ngo", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "681ba0e01c36344c7ac60892", "name": "COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs", "description": "Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving PowerShell commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against NGOs.", "modified": "2025-06-05T21:52:32.991000", "created": "2025-05-07T18:05:20.713000", "tags": [ "powershell", "clickfix", "spica", "phishing", "document theft", "credential theft", "lostkeys", "ngos" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "public": 1, "adversary": "Callisto", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense", "NGO", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 387058, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681efa85136c18a881af2661", "name": "Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information", "description": "The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO governments, NGOs, and former intelligence officers. The malware exfiltrates specific files, harvests system information, and targets individuals linked to Ukraine or Western governments. COLDRIVER's primary goal appears to be intelligence collection aligned with Russia's interests. The infection chain involves a complex multi-stage process, beginning with a fake CAPTCHA and employing various evasion tactics. Google has implemented countermeasures and recommends enhanced security measures for users.", "modified": "2025-05-12T08:06:35.863000", "created": "2025-05-10T07:04:37.198000", "tags": [ "powershell", "ngo", "intelligence collection", "lostkeys", "russian hackers", "captcha", "western governments", "multi-stage infection", "ukraine", "nato" ], "references": [ "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp" ], "public": 1, "adversary": "Callisto", "targeted_countries": [ "Russian Federation", "Ukraine", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 387056, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695ccc8544f275a44d96bd7b", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "", "modified": "2026-01-06T08:49:09.529000", "created": "2026-01-06T08:49:09.529000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": "693417b3b78f8baed9c055c0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693417b3b78f8baed9c055c0", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "In May and June 2025, the intrusion set known as Calisto, also referred to as ColdRiver or Star Blizzard, targeted the French NGO Reporters Without Borders (RSF) through a series of spear phishing attempts. This campaign aligns with Calisto's established tactics, techniques, and procedures (TTPs), primarily involving credential harvesting and potential code execution through methods like the ClickFix technique. These attacks specifically aim at entities supporting Ukraine, indicating the actor's ongoing interest in politically motivated targets.\n\nThe operation against Reporters Without Borders began in March 2025 when the NGO reported a suspicious phishing email received by one of its core members. The email originated from a ProtonMail address designed to mimic a trusted contact, soliciting a review of a non-existent document.", "modified": "2026-01-05T11:00:06.923000", "created": "2025-12-06T11:46:59.940000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681e5cadbf812411c994b448", "name": "Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information", "description": "Google has issued safety alerts to Gmail and Workspace users following a series of high-profile cyber-attack campaigns by a Russian government-backed threat actor, as Amanra reveals its latest findings.", "modified": "2025-06-08T19:03:31.556000", "created": "2025-05-09T19:51:09.004000", "tags": [ "coldriver", "lostkeys", "gtig", "payload", "december", "ngos", "captcha", "soc team", "google threat", "unc4057", "april", "ukraine" ], "references": [ "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218490a9aec83efb905594", "name": "COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs", "description": "", "modified": "2025-05-12T05:18:08.069000", "created": "2025-05-12T05:18:08.069000", "tags": [ "powershell", "clickfix", "spica", "phishing", "document theft", "credential theft", "lostkeys", "ngos" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense", "NGO", "Media" ], "TLP": "white", "cloned_from": "681ba0e01c36344c7ac60892", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "387 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681c607d87220420feaa2093", "name": "IOC - COLDRIVER Using New Malware To Steal Documents", "description": "", "modified": "2025-05-08T07:42:53.206000", "created": "2025-05-08T07:42:53.206000", "tags": [ "powershell", "clickfix", "spica", "phishing", "document theft", "credential theft", "lostkeys", "ngos" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Government", "Defense", "NGO", "Media" ], "TLP": "white", "cloned_from": "681ba0e01c36344c7ac60892", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "391 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudmediaportal.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudmediaportal.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780479630.0685093 }