WithSecure™ Uncovers Trojanised KeePass Campaign in Ransomware Investigation

Press Release  |  May 12, 2025

WS_green_abstract_structure_hero

Helsinki, Finland – May 12, 2025: WithSecure’s Incident Response and Threat Intelligence teams have uncovered a sophisticated cyber attack leveraging a trojanised version of the popular open-source password manager KeePass, during an investigation into a ransomware incident in February 2025.

WithSecure urges organizations to remain vigilant against supply chain compromises, carefully verify downloads, and monitor for unusual behavior around credential stores.

The investigation revealed that attackers modified KeePass source code and signed it with legitimate certificates, creating a trusted but malicious version distributed via search engine malvertising. This altered KeePass installer secretly exfiltrated password database contents, while also acting as a delivery mechanism for post-exploitation tools like Cobalt Strike beacons.

WithSecure linked the malicious infrastructure to a prolific Initial Access Broker (IAB) associated with numerous ransomware attacks over the past two years. Their findings highlight that the campaign, active for at least eight months, likely affected a wide range of victims worldwide – many of whom remain unaware of the breach.

“Attacks such as this pose a real challenge for network defenders. Undetected malware, propagated through adverts on trusted search engines evades both human suspicion and technical controls,” said Timothy West, Director, Threat Intelligence & Outreach at WithSecure. "The sophistication and stealth of this campaign demonstrates the evolving capability of ransomware actors and underlines the efficiency of the techniques employed when targeting European organizations to great effect."

Further analysis uncovered a broader criminal ecosystem deploying fake software downloads through malvertising, targeting multiple legitimate brands beyond KeePass. The attack infrastructure and methods bear links to ransomware groups historically tied to Black Basta and BlackCat, though final attribution remains complex due to the increasing adoption of 'as-a-service' criminal models.

“There is almost certainly a significant number of victims related to this KeePass campaign, which we believe to be undocumented, and ongoing,” West concluded.

Read the full report here: https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign

Our WithSecure Intelligence and Incident Response teams will be present at SPHERE – WithSecure's annual flagship event for cyber security – in Helsinki on May 21–22, 2025, to present insights from their work. More information: thesphere.org.

WithSecure™ media relations
Inari Anttila
+358438240090

About WithSecure™

WithSecure™, formerly F-Secure Business, is Europe's cyber security partner of choice. Trusted by IT service providers, MSSPs, and businesses worldwide, we deliver outcome-based cyber security solutions that protect mid-market companies. Committed to the European Way of data protection, WithSecure prioritizes privacy, data sovereignty, and regulatory compliance.

Boasting more than 35 years of industry experience, WithSecure™ has designed its portfolio to navigate the paradigm shift from reactive to proactive cyber security. In alignment with its commitment to collaborative growth, WithSecure™ offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape.

Central to WithSecure's™ cutting-edge offering is Elements Cloud, which seamlessly integrates AI-powered technologies, human expertise, and co-security services. Further, it empowers mid-market customers with modular capabilities spanning endpoint and cloud protection, threat detection and response, and exposure management.

WithSecure™ Corporation was founded in 1988, and is listed on the NASDAQ OMX Helsinki Ltd.