Threat actors have been leveraging fake KeePass password manager installers for at least eight months to launch a chain of attacks that ultimately lead to ransomware deployment on enterprise VMware ESXi servers. The malicious campaign was discovered by WithSecure’s Threat Intelligence team during an incident response investigation.
The attack began when a victim unknowingly downloaded a trojanized KeePass installer promoted through Bing ads, which redirected users to typo-squatted domains impersonating the official KeePass site.
“KeeLoader was not just modified to the extent it could act as a malware loader. Its functionality was extended to facilitate the exfiltration of KeePass database data,” reads the WithSecure report.
As KeePass is open-source, attackers altered the source code to embed a backdoor named KeeLoader. While it maintained KeePass’s full functionality, it also:
- Installed a Cobalt Strike beacon
- Exported KeePass databases in cleartext CSV
- Stole credentials including usernames, passwords, and comments
The stolen CSV file was saved under %localappdata% with a .kp.<random_integer> naming convention. Additionally, the KeeLoader malware included keylogging functionality to capture all credentials entered into the fake KeePass interface.
“When KeePass database data was opened; account, login name, password, website, and comments information is also exported in CSV format under %localappdata% as .kp. This random integer value is between 100-999.”
Dumping KeePass credentials
Source: WithSecure
WithSecure linked the Cobalt Strike watermark in the beacon payload to a known Initial Access Broker (IAB) tied to Black Basta ransomware operations. The watermark is a license-linked identifier embedded in Cobalt Strike payloads that allows threat researchers to trace campaigns.
“This watermark is commonly noted in the context of beacons and domains related to Black Basta ransomware. It is likely used by threat actors operating as Initial Access Brokers working closely with Black Basta,” explains WithSecure.
The attackers distributed multiple KeeLoader variants signed with legitimate digital certificates via typo-squatted domains like:
- keeppaswrd[.]com
- keegass[.]com
- KeePass[.]me
BleepingComputer confirmed that keeppaswrd[.]com was still live and actively distributing the trojanized installer.
Beyond KeePass impersonation, the attackers deployed phishing pages and malware disguised as software tools using domains like aenys[.]com. These pages spoofed brands such as:
- WinSCP
- Phantom Wallet
- PumpFun
- DEX Screener
- Sallie Mae
- Woodforest Bank
The campaign is attributed with moderate confidence to UNC4696, a group previously associated with Nitrogen Loader and BlackCat/ALPHV ransomware.
Users are urged to download software only from official sources, never from ads—even if the ad appears to show a correct domain.
“Even if an advertisement displays the correct URL for a software service, it should still be avoided, as threat actors have repeatedly proven that they can circumvent ad policies to display the legitimate URL while linking to imposter sites.”
