Trojanized KeePass app versions facilitate ransomware compromise

BleepingComputer reports that several malicious versions of the open-source KeePass password manager dubbed "KeeLoader" have been leveraged to deliver Cobalt Strike beacons and credential stealers, as well as ransomware payloads against targeted VMware ESXi systems over the course of at least eight months.

Intrusions involved the distribution of KeeLoader through the still operational keeppaswrd[.]com website, with the program's execution enabling not only the compromise of inputted credentials but also of KeePass database information, according to an analysis from WithSecure's Threat Intelligence team. Such an attack campaign — which has been associated with the UNC4696 threat operation linked to Nitrogen malware intrusions — was also discovered to feature an infrastructure permitting the deployment of legitimate tool-spoofing programs and credential-stealing phishing pages, with the aenys[.]com domain hosting subdomains masquerading as WinSCP, DEX Screener, PumpFun, Sallie Mae, Phantom Wallet, and Woodforest Bank. Organizations and individuals have been urged to mitigate such a threat by downloading software only from trusted sites.