TZUTC: -0500
MSGID: 1135.consprcy@1:2320/105 2c91c471
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
Hackers are distributing a cracked password manager that steals data, deploys
ransomware

Date:
Tue, 20 May 2025 13:17:00 +0000

Description:
A tainted version of KeePass is making rounds so be careful what you're
downloading.

FULL STORY

Cybercriminals are distributing a tainted version of a popular password
manager, through which theyre able to steal data and deploy ransomware . This
is according to security researchers WithSecure Threat Intelligence, who
recently observed one such attack in the wild. 

In an in-depth analysis published recently, the researchers said a client of
theirs downloaded what they thought was KeePass - a popular password manager.
They clicked on an ad from the Bing advertising network, and landed on a page
that looked exactly like the KeePass website. 

The site, however, was a typosquatted version of the legitimate password
manager. Since KeePass is open-source, the attackers kept all of the
legitimate tools functionalities, but with a little extra Cobalt Strike on 
the side. 

Purview and Defender

The fake password manager exported all of the saved passwords in a cleartext
database, which was later relayed to the attackers through the Cobalt Strike
beacon. The attackers then used the login credentials to access the network
and deploy ransomware, which is when WithSecure was brought in. 

WithSecure said that the campaign has the fingerprints of an initial access
broker (IAB), a type of hacking group that obtains access to organizations 
and then sells it to other hacking collectives. This particular group is most
likely associated with Black Basta, an infamous ransomware operator, and is
now being tracked as UNC4696. 

This group was previously linked to Nitrogen Loader campaigns,
BleepingComputer reported. Older Nitrogen campaigns were linked to the now
defunct BlackCat/ALPHV group. 

So far, this was the only observed attack, but that doesnt mean there arent
others, WithSecure warns: "We are not aware of any other incidents 
(ransomware or otherwise) using this Cobalt Strike beacon watermark  this 
does not mean it has not occurred." 

The typosquatted website thats hosting the malicious KeePass version was 
still up and running at this time, and was still serving malware to
unsuspecting users. In fact, WithSecure said that behind the site was
extensive infrastructure, created to distribute all sorts of malware posing 
as legitimate tools. 

 Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/hackers-are-distributing-a-cracked-pass
word-manager-that-steals-data-deploys-ransomware

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426