19.05.2025
2 min
612
Fake KeePass turned into a Trojan horse for Cobalt Strike, stealing passwords and encrypting VMware ESXi servers by Black Basta/BlackCat.
Cybercriminals distributed a malicious KeePass installer via Bing ads, gaining full access to systems thanks to the built-in KeeLoader backdoor. WithSecure researchers discovered a campaign that used a modified KeePass — KeeLoader — to install Cobalt Strike, steal a password database in CSV format, and then encrypt ESXi servers. The KeeLoader installer was distributed via advertisements from the typosquatting domains: keeppaswrd[.]com, keegass[.]com, and KeePass[.]me.
The program looked genuine, but it silently extracted logins, passwords, and the websites where they were stored. The criminals also created an infrastructure of fake websites for WinSCP, Phantom Wallet, Sallie Mae, etc. to distribute other malware and phishing.
KeePass is a popular open-source password manager that allows third parties to compile their own versions. The attackers took advantage of this openness to integrate backdoors. A key indicator of the attack was the Cobalt Strike watermark, which points to Initial Access Brokers, which are associated with Black Basta/ALPHV (BlackCat) — known ransomware groups.
Users should refrain from downloading from sponsored links — even if the URL looks legitimate. KeeLoader proves that malware adapts legitimate software to their own needs, resorting to signed certificates and reputation tools to bypass checks. Only download programs from official websites.
