Download report/s
In 2025, WithSecure discovered a trojanised, and signed version of the open-source password manager KeePass, used to deliver malware and exfiltrate credentials.
Named KeeLoader, this modified installer was signed with trusted certificates and distributed via malvertising and typo-squat domains to victims across Europe.
In this campaign, KeePass’s actual source code was altered, allowing attackers to steal user credentials and deploy Cobalt Strike beacons for deeper network access. This marks growing sophistication in attacker tradecraft —blending watering-hole style attacks with credential theft and post-exploitation tools.
The operation is linked to a prolific Initial Access Broker, likely historically connected to (now seemingly defunct) BlackBasta ransomware, and highlights the growing sophistication of “as-a-service” cybercrime models.
This case underscores the risks of trusted software being hijacked and weaponised. It calls for stronger software integrity checks, better ad platform oversight, and enhanced detection of stealthy loaders.
Download the full research paper here, which offers technical analysis, indicators of compromise, and actionable defense guidance.
Download report/s
Related Labs content
Find related content relating to this topic.
W/Labs
GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations
15
W/Labs
WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations
W/Labs
DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT
Source: https://labs.withsecure.com/publications/darkgate-rises