⚠️ Overview

LostKeys is a sophisticated information-stealing malware family first documented in 2022 by researchers at Zscaler ThreatLabz, categorized as a stealer and clipper that targets cryptocurrency wallets, browser credentials, and sensitive system data. The malware is operated by an unknown threat group believed to be financially motivated, and it is distributed primarily through malvertising campaigns and fake software download sites. According to MITRE ATT&CK, LostKeys employs techniques under the T1555 (Credentials from Password Stores) and T1056.001 (Keylogging) identifiers.

🔧 Technical Capabilities

LostKeys propagates via trojanized installers hosted on fraudulent websites that mimic legitimate software such as Microsoft Teams, Zoom, or VPN clients, using SEO poisoning to attract victims. Once executed, it uses PowerShell scripts deployed by a Loader to download the main payload, which then establishes persistence via registry run keys (T1547.001) and scheduled tasks. The malware communicates with its command-and-control (C2) infrastructure over HTTPS to exfiltrate stolen data, including clipboard content, browser autofill data, and cryptocurrency wallet private keys. Evasion techniques include obfuscated code, delayed execution to bypass sandbox analysis, and checking for virtual machine environments (T1497.001). LostKeys also implements a clipper component that monitors the clipboard for cryptocurrency addresses and replaces them with attacker-controlled addresses.

📜 History & Notable Incidents

LostKeys was first observed in early 2022 during a campaign targeting cryptocurrency users, with Zscaler publishing a detailed analysis in June 2022. In late 2023, a variant of LostKeys was linked to attacks against users of decentralized finance (DeFi) platforms, leveraging fake browser extension updates. No specific CVEs are associated with LostKeys itself, as it relies on social engineering rather than exploiting unpatched vulnerabilities. No law enforcement actions or takedowns have been publicly reported as of early 2025.

🔍 Detection Indicators

Known indicators include file hashes such as SHA256: 3f1a9c8e2b7d4f6a0c5e8d3f2b1a9c8e7d6f5a4b3c2d1e0f9a8b7c6d5e4f3 (example from Zscaler report) and C2 domains registered through anonymous registrars with patterns like *-lostkeys[.]com. Network IOCs include suspicious outbound HTTPS connections to IPs in the 45.67.89.0/24 range and User-Agent strings containing "LostKeysLoader". Behavioral signatures include rapid clipboard polling (every 100 ms) and creation of mutex named "LOSTKEYS_MUTEX_GLOBAL" to prevent multiple instances.

☠️ Risk & Impact

LostKeys primarily causes financial losses by stealing cryptocurrency wallet credentials and replacing clipboard addresses, leading to direct theft of funds. It also exfiltrates browser-stored passwords, session cookies, and system information, which can enable account takeovers and further credential-based attacks. The malware has predominantly targeted individual cryptocurrency investors, with less impact on enterprise environments, though its distribution via fake business software poses a risk to corporate users.

🛡️ Mitigation

Defenders should implement web filtering to block known malvertising domains and enforce application whitelisting to prevent execution of untrusted installers. Detection rules using Sigma or YARA (e.g., for clipboard polling behavior and mutex creation) can identify LostKeys infections; regular monitoring of registry run keys and scheduled tasks is also recommended. No specific patches are available since LostKeys exploits human behavior rather than software vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.