For at least eight months, malicious groups have been distributing modified versions of KeePass, a popular password manager, to infiltrate systems and wreak havoc. The trap: a “fake” KeePass that appears to function normally on the surface but is designed to steal credentials, install remote control tools, and ultimately launch ransomware attacks.
It all started when a team of researchers was called in to investigate a ransomware case. Tracing the origin, they discovered a KeePass installer that wasn’t what it seemed. It had been promoted through Bing ads that led to highly convincing fake websites, nearly identical to the legitimate ones.
Taking advantage of KeePass being open-source, the attackers took the original software, made a few modifications, and created a trojanized version known as “KeeLoader.” This fake KeePass retained all the typical password management features but had a hidden trick: it installed a Cobalt Strike beacon (a tool used to navigate compromised networks) and exported the password database in plain text, ready to be stolen without the user ever knowing.
Evidence Points to Links with the Black Basta Ransomware Group
According to researchers, the malicious beacons used in this campaign contain a kind of “digital watermark” that helps trace their origin. It turns out this watermark has been seen before in attacks linked to the Black Basta ransomware group, suggesting that this operation may be orchestrated by one of their close allies or collaborators.
To better understand this: Cobalt Strike beacons, which are tools attackers use to navigate within a compromised network, include a unique embedded identifier. It's like a fingerprint that points to the license used to generate them. In this case, that fingerprint matches others found in previous campaigns associated with Black Basta.
While there are no public records of other attacks using this exact watermark, that doesn’t mean they don’t exist—it simply means they haven’t been documented (yet).
Furthermore, researchers uncovered several versions of the “KeeLoader” malware, some even signed with valid certificates, making them appear even more legitimate. These variants were being distributed through fake websites mimicking the original KeePass name, such as keeppaswrd[.]com, keegass[.]com, and KeePass[.]me.
Most concerning of all: one of these sites, keeppaswrd[.]com, is still active and is distributing the trojanized KeePass installer at the time of writing.
Fake KeePass Website Promoting a Trojanized Installer
In addition to installing Cobalt Strike beacons, the fake version of KeePass also included a password-stealing feature. Essentially, every time someone entered credentials into the program, they could be silently captured and extracted by the attackers without the user noticing.
The analysts who investigated the attack explained that “KeeLoader,” the name given to this modified version, didn’t just act as a malware launcher—it was also designed to extract the password database directly from the legitimate KeePass.
When the victim opened their KeePass database, the program would automatically export all information (username, password, website, notes) into a hidden CSV file on the system, stored in a local folder named “.kp.” This file used a randomly generated name to avoid detection.
The result? The attacker ended up with a plain text copy of all your passwords—without you even knowing. But that wasn’t all. In the case that was investigated, the attack concluded with the company’s VMware ESXi servers being completely encrypted by ransomware, halting operations entirely.
Upon further investigation, researchers discovered that this campaign was part of something much larger: a fairly extensive malicious infrastructure using fake pages of popular tools and well-crafted phishing sites to infect devices or steal credentials.
One of the domains used in the campaign was aenys[.]com, which hosted subdomains impersonating well-known brands such as WinSCP, Phantom Wallet, PumpFun, Woodforest Bank, DEX Screener, and even Sallie Mae. Each of these sites was used to distribute various types of malware or trick users into handing over their credentials.
According to researchers, all of this appears to be linked to a group identified as UNC4696, which had previously been associated with campaigns involving the Nitrogen Loader malware—another malicious loader that has been tied to the BlackCat/ALPHV ransomware.
KeePass Credential Dump (Source: WithSecure)
Read more: 500,000 Passwords and Sensitive Data of Mexicans Leaked on Telegram
The Lesson Here?
If you're going to download software—especially sensitive tools like password managers—always do so from official and verified websites. Completely avoid sponsored links or ads, even if they display a URL that looks legitimate. Attackers have proven they can manipulate these kinds of links to lead you to fake sites that look exactly like the originals... but with very different consequences.
