A group of malicious actors has been targeting PCs with a maliciously altered version of the KeePass password manager, enabling them to steal credentials and lock victims out of their systems to demand ransom payments.
According to WithSecure’s Threat Intelligence team, the campaign has been active for at least eight months. During this time, attackers have been distributing trojanized KeePass installers to deploy Cobalt Strike beacons, exfiltrate credentials, and ultimately launch ransomware attacks across compromised networks.
The campaign was uncovered during a ransomware investigation, where WithSecure traced the infection chain back to a fake KeePass installer. This installer was promoted via Bing ads that directed users to fraudulent software websites designed to mimic legitimate download pages.
Because KeePass is open source, the attackers were able to modify its source code and recompile it with trusted certificates to create a malicious version dubbed “KeeLoader.” This variant retains all standard KeePass functionality, making it difficult to detect. However, it includes hidden functionality that installs a Cobalt Strike beacon and silently exports the user’s KeePass password database in cleartext. The stolen data is then exfiltrated through the beacon.
WithSecure described this as the first ransomware campaign they’ve seen in which the source code of a widely used open-source tool was deliberately modified to serve multiple malicious purposes.
Of particular concern, WithSecure said, is that the legitimate source code of the popular KeePass password manager was altered and recompiled. The resulting version was then distributed via malvertising and installed multiple times across several of its customers. In similar cases, attackers usually drop malicious files alongside legitimate software, but this campaign directly trojanized the core application itself.
The infrastructure used in the attack was linked to a well-known Initial Access Broker (IAB) that WithSecure believes is behind numerous high-profile ransomware attacks over the past two years. Notably, the Cobalt Strike watermark used in this campaign is one previously observed in activity associated with the Black Basta ransomware group.
This watermark consistently appears in beacons and domains tied to Black Basta ransomware,” WithSecure explained. It is likely being used by threat actors operating as Initial Access Brokers who work closely with Black Basta.
While WithSecure hasn’t seen this specific watermark in other campaigns, that doesn’t mean it hasn’t been used elsewhere.
A Powerful Example of Identity Misuse
Rom Carmel, Co-Founder and CEO at Apono, calls this “a powerful example of how identity misuse, not just malware, is at the core of modern ransomware attacks.”
Carmel says the attack hinged on identity and credential compromise. “By trojanizing KeePass, attackers gained access to a trove of stored credentials, including admin accounts, service accounts, and API keys, giving them the ability to move laterally and escalate privileges. These credentials, often lacking MFA or proper access controls, enabled attackers to access and encrypt critical infrastructure like ESXi servers. The lesson learned: this breach highlights how unmanaged credentials and overprivileged identities, both human and non-human, are prime targets and key enablers in modern ransomware campaigns.”
Problematic From Several Angles
Boris Cipot, Senior Security Engineer at Black Duck says this case presents a cybersecurity issue that is problematic from several angles. “It touches on open source usage and development, it shows our trust in false advertising, and it showcases the vast capabilities cybercriminals have by exploiting the two.”
Cipot says the malicious password manager was created out of legit OSS called KeePass. The malicious software was then advertised online and waited for victims that believed it was a legitimate password manager. Once a victim installed the malicious password manager, downloaded and deployed the Cobalt Strike tool for command and control and exported the existing KeePass password database in clear text, the attackers gained access to networks, VPNs, and cloud services.
The attackers focused on VMWare ESXi servers where they deployed their ransomware payloads, he adds. “By gathering the passwords stored in KeePass, the attackers had access to the hosts running on those ESXi servers and with this they could start a highly disruptive and efficient attack on hundreds of targets without needing to attack individual, virtual machines.”
Never Blindly Trust Advertisements
Lessons learned are many, says Cipot. However, the most important ones are to never blindly trust advertisements (this also applies to emails or other forms of messaging) and to not assume that OSS, although it is available to the public, is safe. It’s essential to ensure uncompromised trust in software and to know the software you use, be it commercial or OSS, know where it comes from and make sure that it is legit before you apply it to your own development or to your computer.
A Textbook Identity Attack
Jason Soroko, Senior Fellow at Sectigo, says: “Threat actors lured victims to a look-alike KeePass download site advertised on Bing. The tainted installer, called KeeLoader, ran the real password manager while silently launching a Cobalt Strike beacon and dumping the entire KeePass database to disk in clear text. The beacon exfiltrated those credentials, letting the intruders authenticate over SSH, RDP and SMB, drop more beacons and escalate until they controlled vCenter and backup services. With the same Black Basta-linked watermark seen in past incidents, the operators executed a ransomware payload that encrypted VMware ESXi datastores, taking down the VMs in one action.”
Soroko says the breach is a textbook identity attack. “By turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys and service-account secrets that function as the organisation’s digital identities. Those stolen identities negated perimeter controls, neutralised Veeam backups and enabled hypervisor-level ransomware deployment.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.