KeePass trojanised in advanced malware campaign
In 2025, WithSecure discovered a trojanised, and signed version of the open-source password manager KeePass, used to deliver malware and exfiltrate credentials. Named KeeLoader, this modified installer was signed with trusted certificates and distributed via malvertising and typo-squat domains to victims across Europe.
In this campaign, KeePass’s actual source code was altered, allowing attackers to steal user credentials and deploy Cobalt Strike beacons for deeper network access. This marks growing sophistication in attacker tradecraft —blending watering-hole style attacks with credential theft and post-exploitation tools.
The operation is linked to a prolific Initial Access Broker, likely historically connected to (now seemingly defunct) BlackBasta ransomware, and highlights the growing sophistication of “as-a-service” cybercrime models.
This case underscores the risks of trusted software being hijacked and weaponised. It calls for stronger software integrity checks, better ad platform oversight, and enhanced detection of stealthy loaders.
Download the full research paper here, which offers technical analysis, indicators of compromise, and actionable defense guidance.