Hackers use a trojanised KeePass installer for cyberattacks

Threat actors have been distributing a trojanised version of KeePass, a popular open-source password manager, for at least eight months to install Cobalt Strike beacons, steal credentials, and deploy ransomware across compromised networks.

A research firm uncovered the campaign during an investigation into a ransomware incident. They determined that the attack originated from a malicious installer promoted via online advertisements, which directed users to fraudulent software distribution sites.

Because the targeted password manager is open source, attackers could modify its source code to create a tampered KeeLoader version. While it retained full password management functionality, the altered version also installed a Cobalt Strike beacon and exported password database contents in cleartext, which were then exfiltrated.

The cybersecurity firm linked the Cobalt Strike watermarks used in the campaign to an Initial Access Broker (IAB) believed to have prior associations with well-known ransomware operations. These watermarks are unique identifiers tied to the license to generate each beacon payload.

Moreover, the investigation uncovered several variants of KeeLoader signed with legitimate code-signing certificates and distributed through typo-squatting domains such as keeppaswrd[.]com, keegass[.]com, and KeePass[.]me. It was confirmed that one domain remains active and hosts the malicious installer.

 

The compromised KeePass could also allow hackers to execute data theft.

 

In addition to beacon deployment, the trojanised KeePass contained credential-harvesting capabilities that captured user login details.

The report noted that when a password database was accessed, associated data, including usernames, passwords, URLs, and comments, was exported in CSV format to a hidden file under the local application data directory.

The specific ransomware attack under investigation led to the encryption of virtualised servers within the victim organisation’s IT infrastructure.

Subsequent analysis revealed a broader ecosystem used to spread malware disguised as legitimate tools and to host phishing pages designed for credential theft. A central domain was found hosting subdomains that impersonated various well-known services across finance, file management, cryptocurrency, and other sectors.

Each impersonation was used to distribute different malware variants or to facilitate phishing. With moderate confidence, the threat activity has been attributed to a known threat group previously involved in loader-based malware campaigns.

Past operations by this group have also been associated with well-documented ransomware families.

Cybersecurity experts advise users to download software, particularly security-sensitive tools like password managers, only from official websites.

Even when online ads appear to show legitimate URLs, users should remain cautious, as adversaries have repeatedly exploited ad platforms to redirect users to fraudulent lookalike domains.