Preloader

The Password Trap": How a Fake Version of KeePass Opened the Door to Ransomware

The Password Trap": How a Fake Version of KeePass Opened the Door to Ransomware

The Password Trap": How a Fake Version of KeePass Opened the Door to Ransomware

A real-world cybersecurity incident revealed that even good intentions to protect data can have disastrous consequences if caution is overlooked. An employee tried to secure their passwords by downloading KeePass—but instead of visiting the official website, they landed on a malicious fake site.

What Did the Fake KeePass Do?

Attackers created a version of KeePass that looked and behaved like the original. However, it secretly:

  • Stored all saved passwords in plaintext on the victim's system.

  • Installed Cobalt Strike, a powerful tool used for both penetration testing and real attacks.

  • Used this tool to compromise more systems and eventually encrypt the organization’s ESXi servers.

A Covert Campaign with a Legitimate Appearance

This campaign began around mid-2024 and lasted for approximately eight months. The attackers:

  • Created fake websites with names like keeppaswrd, keebass, and KeePass-download.

  • Used malvertising (malicious advertising) to lure users searching for KeePass.

  • Digitally signed the fake installers with valid certificates, preventing OS or antivirus alerts.

Malware Hidden Inside the Core Code

Unlike typical software supply chain attacks that add external malicious files, in this case:

  • Malicious code was embedded directly into the core logic of the application.

  • It only activated when the user opened a KeePass database.

  • Until that point, the software appeared to function completely normally.

KeePass Wasn’t the Only Target

Further investigation revealed that the attackers had also tampered with other legitimate software such as WinSCP and encryption tools. In some cases, they installed a known malware called Nitrogen Loader. These were likely spread by Initial Access Brokers (IABs) — cybercriminals who steal credentials and sell access to ransomware groups.

Everyone Can Be a Target

These malware distributors indiscriminately target unsuspecting users:

  • Stealing passwords, financial data, social media accounts, or gaming credentials.

  • Then selling them on underground markets to ransomware gangs, scammers, or spammers.

 

Security Tips for Home Users

  • Download software only from official websites or trusted app stores.

  • Pay attention to the digital signature and Publisher name during installation.

  • Avoid clicking on sponsored ads in search results.

  • Use comprehensive security software like Kaspersky Premium.

  • Continue using a trusted password manager to store credentials securely.

 Security Tips for Organizations

  • Enforce application allowlisting to restrict software execution to trusted vendors.

  • Implement centralized EDR, SIEM, or XDR solutions for threat detection and response.

  • Train employees to recognize phishing, fake software, and malicious ads.

 

Source: MedadPress
www.medadpress.ir