Trojanized KeePass opens doors for ransomware attackers
A suspected initial access broker has been leveraging trojanized versions of the open-source KeePass password manager to set the stage for ransomware attacks, WithSecure researchers have discovered.
KeeLoader: Passoword manager that acts as data stealer and malware loader
In February 2025, WithSecure’s inicident responders were hired by an European IT service provider to help with response and remediation after a ransomware gang encrypted their VMware ESXi servers’ datastores.
While the attack itself was relatively typical, the thing that stood out was the use of an undocumented malware loader that was built into the legitimate KeePass password manager, and this trojanized version’s ability to download additional attack tools (i.e., a Cobalt Strike beacon) and grab credentials from the KeePass database.
“Other trojans built into legitimate tools simply appended malicious content – whereas this case highlights actors modifying the source code and functionality of legitimate tools before recompiling and signing the malware,” the researchers noted.
KeeLoader – as the dubbed the trojanized KeePass version – outwardly functions as a password manager, and the fact that it has been signed with trusted certificates adds to its stealthiness.
“Sandbox detection is also difficult as the malicious functionality will only manifest once a password database is opened in KeePass. Furthermore, when KeeLoader loads a Cobalt Strike beacon, the loaded beacon is encrypted and only executed when the backdoor is triggered manually. This reduces the chances of detection though automated malware sandboxing,” they added.
Mapping the campaign(s)
In this attack, KeeLoader was downloaded onto an organization’s system from a KeePass lookalike site parked on KeePass-info[.]aenys[.]com. Potential victims would land on this site after getting redirected by malicious Bing and DuckDuckGo ads.
During this engagement, WithSecure’s Threat intelligence analysts have also uncovered a slew of malvertising campaigns, typosquatted domains, and subdomains that served KeeLoader, the Nitrogen loader posing as legitimate software (WinSCP, TreeSize Free), and phishing pages impersonating financial institutions and services, as well as evidence of active, 8-month-long development of KeeLoader.
Other trojanized KeePass samples point to continuous development (Source: WithSecure)
WithSecure says that the infrastructure links and overlapping attributes of artifacts deployed in historic campaigns point to the threat actor behind these campaigns being a prolific ransomware affiliate that’s likely operating as an initial access broker (tracked as “UNC4696” by Mandiant) – though they cannot be entirely sure.
What’s sure, though, is that malvertising and masking malware as legitimate software is a very successful attack tactic, used by a variety of threat actors. (Occasionally, some also engage in supply chain compromise and substitute legitimate software installers on official sites, as well.)
“The previously unseen targeting of KeePass and continual development of the KeePass trojans to simultaneously gain access to a network, and to a user’s credentials/digital identity is a worryingly efficient and dangerous development. This is almost certainly contributing to a ransomware ecosystem where victim counts are seemingly ever on the rise,” the researchers noted.
Indicators of compromise associated with these campaigns have been included in the report.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!