Date: 10/22/2025
Severity: High
Summary
After the public disclosure of its LOSTKEYS malware in May 2025, the Russian state-sponsored threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) quickly adapted, launching new malware families within just five days. The new malware, more aggressive than previous campaigns, is part of a rapidly evolving collection of related malware families connected through a delivery chain. This shift in tactics demonstrates an accelerated development and operational pace by COLDRIVER, who has not used LOSTKEYS since its public revelation.
Indicators of Compromise (IOC) List
URLs/Domains | viewerdoconline.com documentsec.com documentsec.online onstorageline.com applicationformsubmit.me oxwoocat.org ned-granting-opportunities.com blintepeeste.org preentootmist.org southprovesolutions.com inspectguarantee.org captchanom.top system-healthadv.com |
IP Address | 85.239.52.32 |
Hash | 2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee
3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1
e9c8f6a7dba6e84a7226af89e988ae5e4364e2ff2973c72e14277c0f1462109b
b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9
f2da013157c09aec9ceba1d4ac1472ed049833bc878a23bc82fe7eacbad399f4
87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48
c4d0fba5aaafa40aef6836ed1414ae3eadc390e1969fdcb3b73c60fe7fb37897
bce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "preentootmist.org" or siteurl like "preentootmist.org" or url like "preentootmist.org" or domainname like "system-healthadv.com" or siteurl like "system-healthadv.com" or url like "system-healthadv.com" or domainname like "southprovesolutions.com" or siteurl like "southprovesolutions.com" or url like "southprovesolutions.com" or domainname like "applicationformsubmit.me" or siteurl like "applicationformsubmit.me" or url like "applicationformsubmit.me" or domainname like "documentsec.online" or siteurl like "documentsec.online" or url like "documentsec.online" or domainname like "blintepeeste.org" or siteurl like "blintepeeste.org" or url like "blintepeeste.org" or domainname like "documentsec.com" or siteurl like "documentsec.com" or url like "documentsec.com" or domainname like "onstorageline.com" or siteurl like "onstorageline.com" or url like "onstorageline.com" or domainname like "viewerdoconline.com" or siteurl like "viewerdoconline.com" or url like "viewerdoconline.com" or domainname like "inspectguarantee.org" or siteurl like "inspectguarantee.org" or url like "inspectguarantee.org" or domainname like "oxwoocat.org" or siteurl like "oxwoocat.org" or url like "oxwoocat.org" or domainname like "ned-granting-opportunities.com" or siteurl like "ned-granting-opportunities.com" or url like "ned-granting-opportunities.com" or domainname like "captchanom.top" or siteurl like "captchanom.top" or url like "captchanom.top" |
Detection Query 2 : | dstipaddress IN ("85.239.52.32") or srcipaddress IN ("85.239.52.32") |
Detection Query 3 : | sha256hash IN ("f2da013157c09aec9ceba1d4ac1472ed049833bc878a23bc82fe7eacbad399f4","bce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f","3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1","2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee","87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48","e9c8f6a7dba6e84a7226af89e988ae5e4364e2ff2973c72e14277c0f1462109b","b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9","c4d0fba5aaafa40aef6836ed1414ae3eadc390e1969fdcb3b73c60fe7fb37897")
|
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver