Tietoturvaloukkaus?
Valitse kieli
Pyydä demoa
Kielet
Pyydä demoa
Takaisin etusivulle

Partners

KumppanitarjontaPalvelut menestykseen
Takaisin etusivulle

Resources

Resurssikeskus Resurssit
Takaisin kohtaan Resources

Resurssikeskus

Näytä kaikki
Ota yhteyttä
Takaisin kohtaan Resources

Resurssit

ReferenssitarinatWebinaaritTapahtumatPodcastitMedialleBlogiW/Labs
Ota yhteyttä
Takaisin etusivulle

About

Tietoa WithSecurestaJohtoYhteystiedot ja toimipisteetUra WithSecurellaMuseum of Malware ArtSaavutukset ja sertifikaatitVastuullisuusVertaa meitäHaavoittuvuuksien-palkkio-ohjelma
Ota yhteyttä
Takaisin etusivulle

Platform

Elements Cloud Elements capabilities
Takaisin kohtaan Platform

Elements Cloud

Näytä yleiskatsaus
Takaisin kohtaan Platform

Elements capabilities

Exposure ManagementExtended Detection & ResponseCo-Security Services
Takaisin etusivulle

Solutions

Industry Use case
Takaisin kohtaan Solutions

Industry

Solution industry page linkSolution industry page linkSolution industry page link
Takaisin kohtaan Solutions

Use case

ComplianceSolution use case page linkAI threatsSolution use case page linkSOC transformationSolution use case page link
Takaisin etusivulle

Kirjaudu

Takaisin etusivulle

Kielet

Englanti Suomi Ranska Saksa Japani

KeePass trojanised in advanced malware campaign

Software Protection Threat intelligence 08.05.2025

Authors

Tim West

Mohammad Kazem Hassan Nejad

Senior Threat Intelligence Researcher, WithSecure

Download report/s

Download report

In 2025, WithSecure discovered a trojanised, and signed version of the open-source password manager KeePass, used to deliver malware and exfiltrate credentials.

Named KeeLoader, this modified installer was signed with trusted certificates and distributed via malvertising and typo-squat domains to victims across Europe.

In this campaign, KeePass’s actual source code was altered, allowing attackers to steal user credentials and deploy Cobalt Strike beacons for deeper network access. This marks growing sophistication in attacker tradecraft —blending watering-hole style attacks with credential theft and post-exploitation tools.

The operation is linked to a prolific Initial Access Broker, likely historically connected to (now seemingly defunct) BlackBasta ransomware, and highlights the growing sophistication of “as-a-service” cybercrime models.

This case underscores the risks of trusted software being hijacked and weaponised. It calls for stronger software integrity checks, better ad platform oversight, and enhanced detection of stealthy loaders.

Download the full research paper here, which offers technical analysis, indicators of compromise, and actionable defense guidance.

Download report/s

Download report

What next?

Discover WithSecure™ Elements Exposure Management.
– No credit card required. No obligations.No complexity.

Contact us

Related Labs content

Find related content relating to this topic.

W/Labs

Attack Detection Software Protection Threat intelligence

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT

On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.

Lue lisää

W/Labs

Attack Detection Software Protection Threat intelligence

Reverse engineering a Lumma infection

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.

Lue lisää

W/Labs

AI security Attack Detection Software Protection

Machine learning-driven malware analysis

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever

Lue lisää