Listen to this Post

A Silent Invasion: How Hackers Weaponized KeePass to Breach and Encrypt Corporate Systems
Cybersecurity firm WithSecure has uncovered a stealthy and dangerous cyber campaign that has been ongoing for over eight months, leveraging a compromised version of the popular KeePass password manager. This campaign has enabled threat actors to infiltrate corporate systems, install Cobalt Strike beacons, steal credentials, and eventually deploy ransomware. What makes this discovery even more alarming is how effectively the attackers masked their malicious software under the guise of a legitimate open-source application.
The attackers created a trojanized version of KeePass, called KeeLoader, by modifying its open-source code. This altered version retains full functionality of the original software, making it difficult for users to detect anything suspicious. However, once installed, it quietly deploys Cobalt Strike—a tool often used by red teams and cybercriminals for lateral movement and payload delivery. Furthermore, KeeLoader exports the KeePass password database in plain text and exfiltrates it through a covert beacon.
The infection campaign starts with malicious Bing ads redirecting users to typo-squatted domains like keeppaswrd[.]com and keegass[.]com. These fake websites deliver the infected KeePass installer, tricking users into voluntarily installing malware. Some of the installers are even signed with legitimate digital certificates, adding another layer of authenticity to deceive users.
What tipped off WithSecure researchers was a ransomware attack they were asked to investigate. Their findings pointed directly back to KeeLoader as the initial infection vector. These trojanized installers not only dropped Cobalt Strike but also harvested user credentials directly from KeePass entries. The stolen data included account names, passwords, associated websites, and user notes, which were saved in CSV format before being exfiltrated.
The campaign appears to be linked to a threat actor known as UNC4696, previously associated with other high-profile malware loaders such as Nitrogen Loader and the BlackCat/ALPHV ransomware group. The attackers used a wide infrastructure with domains impersonating legitimate services like WinSCP, Phantom Wallet, and Sallie Mae to distribute various malware variants or collect stolen credentials.
WithSecure attributes the Cobalt Strike watermark found in this campaign to an Initial Access Broker working with Black Basta, a ransomware group responsible for multiple enterprise breaches. Despite the watermark not being seen in other attacks, its consistent use suggests a close partnership between the threat actors and ransomware syndicates.
What Undercode Say:
This campaign is a prime example of how open-source software can be weaponized in cybercrime. KeePass, being a free and trusted password manager, was an ideal target. By altering its codebase without changing its core functionality, the attackers created a near-perfect clone that functions normally for the user but secretly performs devastating tasks in the background.
What’s particularly chilling is the
KeeLoader’s ability to steal plaintext password database exports poses catastrophic risks. Users often trust password managers with the keys to their digital lives. By extracting CSV files containing all credentials, the attackers gain full access to email, banking, work systems, and more. With such comprehensive access, launching ransomware attacks becomes a mere formality.
The attackers also employed typosquatting, a long-standing but still effective tactic. Domains like keegass[.]com closely mimic legitimate ones, exploiting user haste or spelling errors. Adding to the deception, the malware was signed with legitimate certificates—indicating that threat actors are now capable of manipulating or acquiring digital certs to further hide malicious intent.
Infrastructure behind this campaign is vast. The aenys[.]com domain and its subdomains masqueraded as trustworthy companies. This mirrors classic phishing tactics where users are tricked into entering credentials or downloading malware from cloned login portals or software pages.
Another major concern is the involvement of Initial Access Brokers (IABs). These cybercriminal middlemen specialize in breaching networks and selling access to ransomware groups like Black Basta. The Cobalt Strike watermark found in KeeLoader installations suggests a direct line between the attackers and high-tier ransomware cartels.
This campaign underscores the urgent need for users and organizations to adopt zero trust policies. No advertisement, search result, or download should be trusted without verification. Organizations must emphasize downloading software directly from vendor sites and cross-checking digital signatures. Routine validation of security tools and active monitoring for beacon-like activity are critical steps in minimizing exposure.
Fact Checker Results: ✅🔍
The KeePass campaign is real and has been active for over 8 months.
Cobalt Strike beacons tied to Black Basta were confirmed via watermark tracing.
Active malicious domains are still online, verified through VirusTotal.
Prediction: 🔮
Cybercriminals will increasingly exploit open-source software due to its accessibility and trust factor. Future campaigns may replicate this model with other tools like 7-Zip, FileZilla, or Audacity. Expect a rise in ad-driven malware distribution and advanced phishing infrastructures. As threat actors refine their deception tactics, users will need to become even more cautious—particularly when it comes to software downloads and search engine ads.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




