A known crew of cybercriminals has weaponized the widely used, open-source KeePass password manager with malware to steal passwords and lock down computers for ransom.
Victims were tricked through Bing advertisements to install the trojanized software, KeeLoader, only to have their credentials siphoned and their systems hijacked, according to a WithSecure research.
“In February 2025, WithSecure’s Incident Response team responded to a ransomware attack,“ said WithSecure researchers in a report. ”While performing analysis on the artifacts used in the attack, WithSecure Threat Intelligence (W/TI) discovered a previously undocumented,trojanised malware loader being deployed to drop post-exploitation malware, and exfiltrate cleartext password manager databases.“
In a months-long campaign, threat actors were found using the modified KeePass, recompiled with trusted certificates, with normal password management features in addition to a Cobalt Strike beacon exfiltrating password databases in cleartext.
A familiar face with a hidden sting
It looked like KeePass, it acted like KeePass, but under the hood, KeeLoader was anything but. The trojanized installer was cleverly promoted through Bing ads, pointing to fake KeePass websites, luring unsuspecting users as legitimate software.
“The malicious software was advertised online and waited for victims who believed it was a legitimate password manager,” said Boris Cipot, senior security engineer at Black Duck. “Once a victim installed the malicious password manager, downloaded and deployed the Cobalt Strike tool for command and control, and exported the existing KeePass password database in clear text, the attackers gained access to networks, VPNs, and cloud services.”
It is essential to ensure uncompromised trust in software and to know the software you use, be it commercial or open source, know where it comes from and make sure that it is legit before you apply it to your own development or to your computer, Cipot added.
WithSecure said that the Cobalt Strike watermarks used in this campaign are linked to an IAB that is believed to be associated with Black Basta ransomware attacks in the past.
WithSecure’s Incident Response team was called in after ransomware encrypted VMware ESXi datastores at a European IT provider. The attackers had used stolen KeePass credentials to access hypervisors directly, bypassing individual VMs and launching a fast-moving, wide-scale attack.
Identity is the new perimeter
Once KeeLoader stole vault credentials-often including domain admin, vSphere, and backup service account–attackers moved fast. Using SSH, RDP, and SMB protocols, they quietly seized control of jump servers, escalated privileges, disabled multifactor authentication, and pushed ransomware payloads directly to VMware ESXi hypervisors.
Jason Soroko of Sectigo called it a “textbook identity attack.” “By turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys and service-account secrets that function as the organization’s digital identities,” he said. “Those stolen identities negated perimeter controls, neutralized Veeam backups and enabled hypervisor-level ransomware deployment.”
The attack wasn’t just about malware. As Rom Carmel, co-founder and CEO at Apono, noted, “It hinged on identity and credential compromise.”
“By trojanizing KeePass, attackers gained access to a trove of stored credentials, including admin accounts, service accounts, and API keys, giving them the ability to move laterally and escalate privileges,” Carmel said. “The lesson learned: this breach highlights how unmanaged credentials and overprivileged identities, both human and non-human, are prime targets and key enablers in modern ransomware campaigns.”
Open source: the double-edged sword
This campaign also highlights the risks of trusting open-source software–or more precisely, the wrong source of it. KeePass itself wasn’t the problem, the ecosystem around it was. “This case touches on open-source usage and our trust in false advertizing,” Cipot added.
Patrick Tiquet of Keeper Security echoed the concern. “This incident highlights a critical risk in relying on open-source applications, especially when downloading them from unofficial or unverified sources,” he said. “While open-source software can offer flexibility and transparency, it also presents unique attack surfaces.”
Experts agreed on the remedy: treat software acquisition like identity, with verification. That means downloading from official sources, layering defenses like EDR and PAM, and enforcing zero-trust and zero-knowledge architectures wherever credentials are involved.
No Responses