Researchers with WithSecure are warning that a rogue version of password manager KeePass is the likely source of numerous ransomware attacks, and also contains the capability to exfiltrate the contents of password databases. The tainted version contains a trojan and was distributed via a “malvertising” campaign that made it appear to be a legitimate download of the software.
They indicate that this particular campaign has likely been active for at least eight months, but that it is associated with a broader malvertising ecosystem that also targets other legitimate brands in a similar way. The infrastructure used in the fake KeePass ransomware attacks is associated with a known Initial Access Broker (IAB) that has been active for at least two years.
Fake password manager download targets Bing searches
The attackers targeted the Microsoft Advertising platform, specifically search ads served through Bing (which also appeared via DuckDuckGo due to an advertising partnership). These were mocked up to look as if they were leading to a legitimate download of KeePass. Victims that interacted with these ads would instead get a maliciously modified version of the password manager called “KeeLoader” designed to exfiltrate passwords and provide a backdoor for further malware delivery. Ransomware attacks with KeeLoader appear to make use of the Black Basta and BlackCat products, but at times spoof notes to make it appear as if Akira ransomware is to blame.
The campaign was uncovered by WithSecure in February 2025 during response to an attack on a client. This led to the discovery of the modified version of the password manager, made to act as a malware loader and data exfiltrator. It was delivered as “KeePass-2.56-Setup.exe,” a version of the software that has not been current since early 2024. The malicious ads redirect to a fake KeePass download site, hosted at “keeppaswrd[.]com,” that also lists incorrect and outdated version numbers.
The approach is highly effective not just due to exploiting trust in what appear to be legitimate ads served up by Bing and DuckDuckGo, but also modification of the KeePass source code to craft the loader. The attackers took advantage of the open source code to rebuild the app’s primary executable with an encrypted Cobalt Strike payload embedded to facilitate future ransomware attacks and a function included to exfiltrate account, login name, password, website, and comments information from the password manager’s database.
Other ransomware attacks may stem from similar malvertising
The researchers found that the attack domain, “aenys[.]com,” is tied to a number of similar malvertising campaigns similarly targeting legitimate products: Sallie Mae loans, the WinSCP utility, the Phantom cryptocurrency wallet, DEX Screener, the crypto platform Pump and a Texas-based financial institution called Woodforest National Bank. The domain and malicious ads would deliver different malware for different purposes, for example raiding crypto wallets.
The malicious search ads consist of plain text with no images and are relatively simple, and have some visible warning signs. They are posted in English, but the advertiser identity at the top is a string of characters in an Asian language. The malicious “aenys” URL is also displayed as part of the download link, and the descriptive text has some small grammar errors in some cases. The fake password manager is difficult for security software to detect once installed since it is novel and built from a known and popular product; the researchers report that it will not be detected in sandbox testing until either a password database is opened or a remote attacker triggers the backdoor manually.
The WithSecure report does not attribute the ransomware attacks to any specific perpetrator, but does note that they likely have prior connections to both the Black Basta and BlackCat ransomware collectives. The beginning of the password manager campaign comes just after Black Basta went dormant, following the one-two punch of the loss of its “Qakbot” botnet and a public leak of internal group documents. The researchers think it is likely that the KeeLoader campaign is the work of one or more former Black Basta operators branching out on their own in the wake of the fallout.
The incident serves as a strong reminder of the threat of malvertising and that ads embedded in known safe sites, even from major tech outfits like Microsoft, could be linking to attack pages or tainted downloads and must always be examined carefully. The major advertisers generally screen ads for threat behavior, but attackers are able to slip through from time to time. Google also has a history of malvertising attacks appearing alongside searches, the precursor to this often being when a criminal hijacks a legitimate advertiser’s account. Facebook has had consistent struggles with this too, most recently with a campaign that involved nearly a hundred malicious domains and that targeted business accounts on the platform.
Boris Cipot, Senior Security Engineer at Black Duck, notes that the campaign of ransomware attacks intersects with several areas of cybersecurity in need of increased attention: “This case presents a cybersecurity issue that is problematic from several sides. It touches on open source usage and development, it shows our trust in false advertising, and it showcases the vast capabilities cybercriminals have by exploiting the two.”
“The attackers focused on VMWare ESXi servers where they deployed their ransomware payloads. By gathering the passwords stored in KeePass, the attackers had access to the hosts running on those ESXi servers and with this they could start a highly disruptive and efficient attack on hundreds of targets without needing to attack individual, virtual machines. Lessons learned are many, however, the most important ones are to never blindly trust advertisements (this also applies to emails or other forms of messaging) and to not assume that OSS, although it is available to the public, is safe. It’s essential to ensure uncompromised trust in software and to know the software you use, be it commercial or OSS, know where it comes from and make sure that it is legit before you apply it to your own development or to your computer,” added Cipot.
Jason Soroko, Senior Fellow at Sectigo, adds more detail about the damage done by the ransomware attacks: “Among the secrets in the vault were the vSphere administrator password and the service account that Veeam used for backups. Using those credentials the attackers logged in to the vCenter web client, disabled multifactor prompts, and pushed a small ELF encryptor to every ESXi host through the normal vCenter maintenance channel. With vCenter under their control they could reach each datastore without needing guest access to individual virtual machines. They shut down the Veeam Backup and Replication virtual machine, deleted recent restore points, and then executed the encryptor through esxcli on every host. The payload traversed the VMFS volumes, rewrote the file headers, and left a ransom note that carried the same Cobalt Strike watermark previously observed in Black Basta incidents. When the hosts rebooted, every guest failed to start because its VMDK files were unreadable, giving the attackers a single decisive blast radius that covered production servers and their backups alike. The breach is a textbook identity attack. By turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys and service-account secrets that function as the organisation’s digital identities. Those stolen identities negated perimeter controls, neutralised Veeam backups and enabled hypervisor-level ransomware deployment.”
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, adds: “This incident highlights a critical risk in relying on open-source applications, especially when downloading them from unofficial or unverified sources. While open-source software can offer flexibility and transparency, it also presents unique attack surfaces. In this case, attackers were able to alter the source code of an open-source password manager and distribute a trojanized version that functioned normally while silently installing Cobalt Strike beacons and exporting the victim’s password database. Once the attackers gained access to credentials, they leveraged them to move laterally across the breached network. What this underscores is the growing role of identity in modern cyberattacks. Credential theft remains one of the most effective ways for attackers to gain initial access and escalate privileges. Once they have valid credentials – especially privileged ones – they can operate with near invisibility within a network. To mitigate these threats, individuals and organizations should use password managers that are built with zero-trust and zero-knowledge architectures, and always download software directly from the developer’s official website or a trusted app store. Implementing Privileged Access Management (PAM) helps limit the blast radius of an intrusion by enforcing least-privilege access and closely monitoring privileged account activity. Additionally, layered security controls like application whitelisting, Endpoint Detection and Response (EDR) and strong identity governance policies are essential in protecting against similar supply chain and credential-based attacks.”
