Hackers have been spreading a malicious version of the KeePass password manager for over eight months, using it to steal login credentials and install ransomware.
This altered version, named KeeLoader, maintains all normal KeePass features but secretly deploys Cobalt Strike beacons and exports user data in plain text.
The malware was distributed through deceptive Bing ads that led victims to fake KeePass websites using typo-squatted domains like keeppaswrd[.]com.
Researchers at WithSecure linked the campaign to a threat group likely collaborating with Black Basta ransomware operators, based on unique Cobalt Strike identifiers.
The attack culminated in ransomware encrypting VMware ESXi servers and used a wide infrastructure of fake sites to impersonate well-known services and distribute more malware.
Users are strongly urged to avoid downloading software from advertisements and only use trusted, official sources.
Read more...