Hackers have been distributing fake versions of the popular KeePass password manager to spread malware and launch ransomware attacks. According to cybersecurity firm WithSecure, these attacks have been happening for at least eight months and are part of a larger campaign targeting users through malicious ads and fake websites.
The attack begins with users downloading a trojanized version of KeePass. KeePass is a widely used, open-source password manager that helps users securely store their passwords. Because it is open source, anyone can modify its code. In this case, threat actors have taken advantage of that.
They created a fake but fully functional version of KeePass, which has been dubbed KeeLoader. While KeeLoader looks and works like the real KeePass, it has hidden malicious features. Once installed, it does two dangerous things:
It drops a Cobalt Strike beacon on the victim’s computer.
It steals the KeePass password database and sends it to the attackers.
The stolen database is exported in cleartext (unencrypted), exposing all the stored usernames, passwords, website addresses, and even comments. This makes it easy for cybercriminals to access sensitive accounts.
How the Attack Works
WithSecure discovered this malicious campaign during an investigation of a ransomware incident involving VMware ESXi servers. The breach began when an employee unknowingly downloaded the fake KeePass software through a Bing advertisement that led to a fake software website.
The attackers used typo-squatting domains—websites with slightly misspelled names—to trick users into believing they were on the official KeePass website. Some of the fake domain names used include:
keeppaswrd[.]com
keegass[.]com
KeePass[.]me
Once KeeLoader is installed, it behaves like a normal password manager but secretly installs malware in the background. Specifically, it plants a Cobalt Strike beacon—an advanced tool often used by hackers to control infected systems remotely. These beacons include a watermark that links them to specific hacker groups.
Link to Black Basta Ransomware Group
According to WithSecure, the watermark found in this campaign’s Cobalt Strike beacons is associated with Initial Access Brokers (IABs) believed to work with the Black Basta ransomware gang. IABs are cybercriminals who specialize in breaking into networks and then selling that access to ransomware operators.
WithSecure has not seen this specific watermark used in other campaigns, making it a strong clue about the identity of the attackers. The group behind this operation is believed to be UNC4696, which has also been connected to earlier campaigns involving Nitrogen Loader malware and the BlackCat/ALPHV ransomware group.
Advanced Features of KeeLoader
The fake KeePass installer was not just a simple malware dropper. KeeLoader had advanced features that extended its capabilities beyond just password theft. For example, it exported all password data into a .kp CSV file, which was stored in the %localappdata% folder on the user’s machine. This file included:
Account names
Login IDs
Passwords
Associated websites
Any comments entered by the user
These details were then exfiltrated (sent) to the attackers through the Cobalt Strike beacon.
Ransomware Deployment on ESXi Servers
In the case WithSecure investigated, the ultimate goal of the attackers was to deploy ransomware. After gaining access to the network through KeeLoader, the threat actors moved laterally and encrypted the company’s VMware ESXi servers—a common target for ransomware attacks due to their role in managing virtual machines.
Widespread Malware Infrastructure
Further investigation showed that this campaign was part of a larger infrastructure designed to distribute malware and steal credentials. One domain, aenys[.]com, hosted several subdomains that mimicked well-known tools and services, such as:
WinSCP
Phantom Wallet
Sallie Mae
Woodforest Bank
DEX Screener
PumpFun
Each of these fake subdomains was used to spread different types of malware or capture login credentials from unsuspecting users.
Important Cybersecurity Tips for Users
This incident highlights the importance of safe software downloading practices. Here are some key tips to stay protected:
Always download software from the official website. Never trust ads, even if they appear to display the correct URL.
Avoid clicking on sponsored search results when looking for sensitive software like password managers.
Check the domain name carefully to make sure it’s spelled correctly.
Use antivirus software and keep it up to date.
Enable multi-factor authentication for your accounts to add an extra layer of protection.
The fake KeePass campaign is a reminder of how sophisticated cyberattacks have become. By using modified open-source software, typo-squatting domains, and paid ads, attackers are finding new ways to trick users into installing malware. The consequences can be severe, leading to stolen credentials, full network compromise, and ransomware attacks.
Cybersecurity experts urge users to remain cautious, especially when installing tools that manage sensitive information. One careless click can open the door to a major data breach.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Pwn2Own 2025, Mozilla Patches Critical Firefox Vulnerabilities in Record Time
Pingback: CVE-2025-47949: Samlify Vulnerability Allows Admin Account Takeover