Cybersecurity firm WithSecure responded to a significant ransomware incident that revealed a sophisticated and ongoing supply chain attack targeting users of the popular open-source KeePass password manager.
The attack chain involved the development and propagation of a trojanized KeePass installer containing a previously undocumented malware loader, which delivered post-exploitation payloads and harvested credentials from password databases.
Supply Chain Compromise through KeePass
Threat actors behind the campaign meticulously modified the open-source KeePass source code, inserting custom malware into the application and its auxiliary tool, ShInstUtil.exe.
Unlike typical software trojanization where malicious components are simply bundled alongside legitimate installers – the attackers directly altered core functionalities.
This allowed the KeePass build to function as both a loader for Cobalt Strike beacons and an information stealer designed to exfiltrate contents of KeePass databases in cleartext, including usernames, passwords, and associated metadata.
The malicious KeePass installer was signed with valid, trusted code-signing certificates, making it virtually indistinguishable from legitimate versions to end users and traditional antivirus solutions.
The attacker’s tactics included the setup of lookalike domains and acquisition of authentic-sounding certificates to boost credibility and evade both detection and suspicion during installation.
Initial access was gained through malvertising, leveraging search engine ads (notably on Bing and DuckDuckGo) to lure victims onto typo-squatted and spoofed KeePass-themed domains such as KeePass-info[.]aenys[.]com, keeppaswrd[.]com, and others.
Unsuspecting users downloading KeePass from these sources received the trojanized installer.
Once executed, the installer dropped modified binaries into the user’s %localappdata% directory, established persistence via autorun registry keys, and covertly deployed an encrypted Cobalt Strike payload disguised as a JPG file.
The loader’s execution flow leveraged the EnumFontsW callback function to decrypt and load the Cobalt Strike beacon in memory, minimizing the forensic footprint and resisting sandbox detection.
The beacon established command and control over HTTPS, communicating with attacker-controlled domains such as arch-online[.]com and aicmas[.]com.
Credential Dumping and Stealthy Exfiltration
Upon opening a KeePass database, the malicious build automatically extracted stored credentials, exporting them into a CSV file within the local application data directory.
Although direct automatic exfiltration was not observed, the attackers could remotely retrieve these files via active Cobalt Strike sessions.
Earlier variants of the KeePass malware also supported exfiltration to attacker infrastructure, with clear evidence of development iterations to optimize stealth and success rates.
Notably, all attack elements were signed with legitimate digital certificates, some of which have since been revoked.
The actors demonstrated a high degree of operational security and persistence, with anti-analysis features and minimal code changes relative to the baseline KeePass builds, thereby evading most detection mechanisms.
Telemetry and threat intelligence indicate that these operations are linked to highly active Initial Access Brokers (IABs), who have previously facilitated large-scale ransomware campaigns, including those involving Black Basta and BlackCat affiliates.
The use of malvertising, supply chain attacks, and loader-as-a-service offerings points to a mature and scalable criminal infrastructure.
Domain registration, hosting, and certificate issuance practices further suggest overlap with other well-known malvertising operations, such as Nitrogen Loader and Rhadamanthys malware distribution.
WithSecure’s investigation identified multiple malicious KeePass installer variants over an eight-month period, underscoring the evolving nature of this threat.
The campaign highlights the growing risks associated with open-source software supply chains, the persistent effectiveness of malvertising, and the rapid commoditization of signed malware loaders in the cybercrime ecosystem.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Malicious URLs | hxxps://lvshilc[.]com/KeePass-2.56-Setup.exe | Trojanized KeePass installer |
| hxxps://keeppaswrd[.]com/download.php | Payload distribution | |
| hxxps://arch-online[.]com/List/com2/9O29EO3IRSBB | C2 server | |
| hxxps://aicmas[.]com/List/com2/9O29EO3IRSBB | C2 server | |
| Domains | KeePass-info[.]aenys[.]com | Malvertising landing page |
| keeppaswrd[.]com | Typosquat domain | |
| arch-online[.]com, aicmas[.]com | Cobalt Strike C2 | |
| Malicious Files | 0000cff6a3c7f7eebc0edc3d1e42e454ebb675e57d6fc1fd968952694b1b44b3 | KeePass-2.56-Setup.exe (SHA256) |
| 0fc4397d28395974bba2823a1d2437b33793127b8f5020d995109207a830761b | ShInstUtil.exe (SHA256) | |
| f1c6d8e594f85cd2cb844a3e8a90509ea137a67d7ef3f1b68a7be17df6ccac74 | KeePass.exe (SHA256) | |
| Certificates | S.R.L. INT-MCOM: 05c1f7dd747b1af79ac427a15a8b64ae | Signed malicious binaries |
| MekoGuard Bytemin: 26A6819AC81B7A25BCE7D354 | Signed earlier variant |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
