Cybercriminals have been spreading manipulated versions of the KeePass password manager for at least eight months. This modified software is used to install Cobalt Strike beacons, steal login credentials, and ultimately activate ransomware on infected networks.
The Threat Intelligence team at WithSecure discovered this campaign during an investigation into a ransomware attack. Their analysis revealed that the attack began with a malicious KeePass installation, which was promoted via Bing ads on fake websites that resembled legitimate software pages.
Because KeePass is open-source, attackers were able to modify the source code and create a manipulated version, which they call KeeLoader. This version retains the normal functionalities of KeePass…