Downloading programs is an easy enough task, but only if you’re using official websites or app stores. If you use third-party sources or torrents, this fake password manager is a good reminder of why the official sources are best.
This Password Manager Steals Your Passwords
Security researchers at WithSecure have discovered a malware campaign in which hackers have been delivering trojanized versions of the KeePass password manager since at least October 2024. These versions install malware called Cobalt Strike along with the password manager, which can steal saved passwords and other credentials from your PC and deploy ransomware on your network.
Since KeePass is open source, hackers easily accessed the source code to create a convincing clone. This malicious version is called KeeLoader and contains all of KeePass’ functionality, except it saves all your passwords as a text file and sends them to hackers using Cobalt Strike beacons.
The distribution is handled by fake websites that use typo-squatted domains like the following:
- keeppaswrd.com
- keegass.com
- KeePass.me
- keespass.biz
- keebass.com
- KeePassx.com
Some of these domains are still active and distributing fake versions of KeePass. For context, the legitimate KeePass website is at keepass.info. The fake websites were available via Microsoft’s Bing search engine. WithSecure claims that the fake domains were being served through DuckDuckGo advertisements. However, given that Microsoft and DuckDuckGo have formed a partnership on Microsoft-provided ads, it’s also likely that they were advertised with Bing as well.
The entire campaign came to light during WithSecure’s investigation of a ransomware incident at a European IT service provider. It turned out that the fake password manager not only stole credentials but also installed ransomware on the company’s VMware ESXi servers. WithSecure noted that this is the first instance of an open-source password manager being used simultaneously as a credential-stealing tool and malware loader.
Watch Where You Get Your Programs
You can use your browser’s password manager with precautions, but using a dedicated program is a much more secure alternative. Hackers target password managers for exactly this reason—it puts risk where you least expect it, meaning they can catch you off guard.
Related
Don’t Fall for This Master Password Reset Email
1Password users are under attack, but it’s relatively simple to keep your account safe.
You should always download all programs, especially sensitive ones like your password manager, from their official websites or the app store based on your platform. Downloading software and games from third-party websites or torrents always runs the risk of your program coming with a side of malware.
As an added precaution, I’d also recommend you avoid clicking on ads and sponsored links that encourage you to download a program. Even if the ad shows the legitimate URL for the program, hackers have repeatedly shown that they can bypass ad policies and display legitimate URLs while still redirecting you to fake sites.
