Russian state-sponsored APT group Star Blizzard has been using the ClickFix technique to distribute new information stealer malware, Google warns.
Also known as UNC4057, Callisto, Coldriver, and Seaborgium, and active since at least 2019, Star Blizzard was publicly linked to Russia’s Federal Security Service (FSB) by the US in December 2023. In October 2024, over 100 domains the APT used for spear-phishing were seized.
Known for targeting academic organizations, NATO governments, NGOs, and think tanks for intelligence collection, mainly from email accounts, the threat actor would deliver malware and attempt to access system files only in select cases.
Recent campaigns, Google says, targeted “current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs”, as well as individuals connected to Ukraine.
In attacks observed in January, March, and April 2025, Star Blizzard delivered a new malware family named LostKeys as part of a multi-step infection chain that begins with a lure webpage containing a fake Captcha and employing the known ClickFix technique to execute malicious code.
JavaScript code on the page automatically copies a malicious PowerShell command to the clipboard, while the victim is instructed to verify they are human by opening the Run prompt on Windows, to paste and execute the PowerShell command.
The ClickFix technique was initially observed in October 2023, but its mass adoption by threat actors started in August 2024, spiking since the beginning of this year. Both cybercrime and state-sponsored groups have been using it.
“Users should exercise caution when encountering a site that prompts them to exit the browser and run commands on their device, and enterprise policies should implement least privilege and disallow users from executing scripts by default,” Google notes.
As part of Star Blizzard’s attacks, the first-stage PowerShell executes code that performs device checks, likely for VM evasion, and fetches a third-stage payload responsible for retrieving and decoding the final payload, the LostKeys malware.
“It is a piece of malware that is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” Google notes.
The internet giant also says that LostKeys “is only deployed in highly selective cases” and that it can also steal documents from the infected systems.
Google’s analysis has revealed links to two malware samples dating to December 2023, which use a different execution chain to run the LostKeys malware.
“It is currently unclear if these samples from December 2023 are related to COLDRIVER, or if the malware was repurposed from a different developer or operation into the activity seen starting in January 2025,” Google notes.
Related: France Blames Russia for Cyberattacks on Dozen Entities
Related: Russian Espionage Group Using Ransomware in Attacks
Related: Russian Ransomware Gang Exploited Windows Zero-Day Before Patch
Related: Russian Firm Offers $4 Million for Telegram Exploits