183/68 Wednesday, May 21, 2025
Cybersecurity experts from WithSecure have issued a warning about a cyberattack campaign involving a fake version of the popular password manager KeePass. Attackers modified the open-source KeePass code to create a trojanized version called “KeeLoader”, which retains the full functionality of the original software but secretly includes malicious code. This code installs a Cobalt Strike beacon—a tool used for remote command-and-control—and silently exfiltrates plaintext password database files from victims’ machines.
The campaign begins with malicious ads on Bing, directing users to spoofed websites that closely mimic legitimate software download portals. These fake domains include:
keeppaswrd[.]comkeegass[.]comKeePass[.]me
These domains remain active and are still distributing the malicious KeePass installer. In addition to delivering Cobalt Strike, KeeLoader is designed to capture input from the victim, extract password data, convert it to CSV format, and export it to attacker-controlled servers.
Experts have attributed the campaign to a threat group known as UNC4696, which has a history of affiliations with Black Basta ransomware and the Nitrogen Loader malware campaign. Researchers also found that the attackers used the domain aenys[.]com to create an elaborate infrastructure, masquerading as tools or services from well-known software brands such as WinSCP, Phantom Wallet, and DEX Screener.
In the final stage of the attack, compromised systems—particularly VMware ESXi servers—are encrypted with ransomware.
Users are strongly advised to avoid downloading software from ads or unofficial websites, even if the URLs appear legitimate. Attackers are capable of manipulating ad systems to display fake but convincing links. Always verify the source before downloading critical software.
