KeePass trojanised in advanced malware campaign - WithSecure™

2 min read Original article ↗

Tim West

Mohammad Kazem Hassan Nejad

Senior Threat Intelligence Researcher, WithSecure

In 2025, WithSecure discovered a trojanised, and signed version of the open-source password manager KeePass, used to deliver malware and exfiltrate credentials.

Named KeeLoader, this modified installer was signed with trusted certificates and distributed via malvertising and typo-squat domains to victims across Europe.

In this campaign, KeePass’s actual source code was altered, allowing attackers to steal user credentials and deploy Cobalt Strike beacons for deeper network access. This marks growing sophistication in attacker tradecraft —blending watering-hole style attacks with credential theft and post-exploitation tools.

The operation is linked to a prolific Initial Access Broker, likely historically connected to (now seemingly defunct) BlackBasta ransomware, and highlights the growing sophistication of “as-a-service” cybercrime models.

This case underscores the risks of trusted software being hijacked and weaponised. It calls for stronger software integrity checks, better ad platform oversight, and enhanced detection of stealthy loaders.

Download the full research paper here, which offers technical analysis, indicators of compromise, and actionable defense guidance.

Related Labs content

Find related content relating to this topic.

Publications

GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations

15

W/Labs

WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations

Blog post

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT

Source: https://labs.withsecure.com/publications/darkgate-rises