Download report/s
In 2025, WithSecure discovered a trojanised, and signed version of the open-source password manager KeePass, used to deliver malware and exfiltrate credentials.
Named KeeLoader, this modified installer was signed with trusted certificates and distributed via malvertising and typo-squat domains to victims across Europe.
In this campaign, KeePass’s actual source code was altered, allowing attackers to steal user credentials and deploy Cobalt Strike beacons for deeper network access. This marks growing sophistication in attacker tradecraft —blending watering-hole style attacks with credential theft and post-exploitation tools.
The operation is linked to a prolific Initial Access Broker, likely historically connected to (now seemingly defunct) BlackBasta ransomware, and highlights the growing sophistication of “as-a-service” cybercrime models.
This case underscores the risks of trusted software being hijacked and weaponised. It calls for stronger software integrity checks, better ad platform oversight, and enhanced detection of stealthy loaders.
Download the full research paper here, which offers technical analysis, indicators of compromise, and actionable defense guidance.
Download report/s
Related Labs content
Find related content relating to this topic.
W/Labs
DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT
Source: https://labs.withsecure.com/publications/darkgate-rises
W/Labs
Reverse engineering a Lumma infection
Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.
W/Labs
Machine learning-driven malware analysis
With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever