Subj : Hackers are distributing To : All From : Mike Powell Date : Tue May 20 2025 08:55 am Hackers are distributing a cracked password manager that steals data, deploys ransomware Date: Tue, 20 May 2025 13:17:00 +0000 Description: A tainted version of KeePass is making rounds so be careful what you're downloading. FULL STORY Cybercriminals are distributing a tainted version of a popular password manager, through which theyre able to steal data and deploy ransomware . This is according to security researchers WithSecure Threat Intelligence, who recently observed one such attack in the wild. In an in-depth analysis published recently, the researchers said a client of theirs downloaded what they thought was KeePass - a popular password manager. They clicked on an ad from the Bing advertising network, and landed on a page that looked exactly like the KeePass website. The site, however, was a typosquatted version of the legitimate password manager. Since KeePass is open-source, the attackers kept all of the legitimate tools functionalities, but with a little extra Cobalt Strike on the side. Purview and Defender The fake password manager exported all of the saved passwords in a cleartext database, which was later relayed to the attackers through the Cobalt Strike beacon. The attackers then used the login credentials to access the network and deploy ransomware, which is when WithSecure was brought in. WithSecure said that the campaign has the fingerprints of an initial access broker (IAB), a type of hacking group that obtains access to organizations and then sells it to other hacking collectives. This particular group is most likely associated with Black Basta, an infamous ransomware operator, and is now being tracked as UNC4696. This group was previously linked to Nitrogen Loader campaigns, BleepingComputer reported. Older Nitrogen campaigns were linked to the now defunct BlackCat/ALPHV group. So far, this was the only observed attack, but that doesnt mean there arent others, WithSecure warns: "We are not aware of any other incidents (ransomware or otherwise) using this Cobalt Strike beacon watermark this does not mean it has not occurred." The typosquatted website thats hosting the malicious KeePass version was still up and running at this time, and was still serving malware to unsuspecting users. In fact, WithSecure said that behind the site was extensive infrastructure, created to distribute all sorts of malware posing as legitimate tools. Via BleepingComputer ====================================================================== Link to news story: https://www.techradar.com/pro/security/hackers-are-distributing-a-cracked-pass word-manager-that-steals-data-deploys-ransomware $$ --- SBBSecho 3.20-Linux * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105) .