WithSecure uncovers trojanised KeePass campaign in ransomware investigation

WithSecure media relations

WithSecure PR

WithSecure’s Incident Response and Threat Intelligence teams have uncovered a sophisticated cyber attack leveraging a trojanised version of the popular open-source password manager KeePass, during an investigation into a ransomware incident in February 2025.

WithSecure urges organizations to remain vigilant against supply chain compromises, carefully verify downloads, and monitor for unusual behavior around credential stores.

The investigation revealed that attackers modified KeePass source code and signed it with legitimate certificates, creating a trusted but malicious version distributed via search engine malvertising. This altered KeePass installer secretly exfiltrated password database contents, while also acting as a delivery mechanism for post-exploitation tools like Cobalt Strike beacons.

WithSecure linked the malicious infrastructure to a prolific Initial Access Broker (IAB) associated with numerous ransomware attacks over the past two years. Their findings highlight that the campaign, active for at least eight months, likely affected a wide range of victims worldwide – many of whom remain unaware of the breach.

“Attacks such as this pose a real challenge for network defenders. Undetected malware, propagated through adverts on trusted search engines evades both human suspicion and technical controls,” said Timothy West, Director, Threat Intelligence & Outreach at WithSecure. “The sophistication and stealth of this campaign demonstrates the evolving capability of ransomware actors and underlines the efficiency of the techniques employed when targeting European organizations to great effect.”

Further analysis uncovered a broader criminal ecosystem deploying fake software downloads through malvertising, targeting multiple legitimate brands beyond KeePass. The attack infrastructure and methods bear links to ransomware groups historically tied to Black Basta and BlackCat, though final attribution remains complex due to the increasing adoption of ‘as-a-service’ criminal models.

“There is almost certainly a significant number of victims related to this KeePass campaign, which we believe to be undocumented, and ongoing,” West concluded.

Read the full report here: https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign

Why organisations choose WithSecure

WithSecure combines advanced technology with genuine human expertise to protect what matters most. Whether you are securing a growing business or a complex organisation, we work alongside your team to deliver outcomes that last.

How it works

Complete this form
We will review your enquiry and be in touch
Get the support or information you need

The Benefits

Fast, frictionless deployment. Our single-agent setup minimises disruption and delivers effective protection from day one.
A unified platform that scales with you. Endpoint, identity, cloud, and collaboration security in one place – no unnecessary complexity, no tool sprawl.
Compliance built in, not bolted on. NIS2, GDPR, and DORA alignment are embedded in the platform, turning regulatory requirements into a competitive advantage.
Round-the-clock expertise, whenever you need it. Every alert is handled by a security professional who understands the full context of your environment.
Security grounded in European values. Established in Finland in 1988 and operating fully under EU jurisdiction, our commitment to privacy and trust is structural, not cosmetic.
From reactive to proactive. Exposure Management and AI-powered threat detection identify and address risks before they become incidents.
A long-term security partner. We begin with a focused conversation and remain invested in your organisation’s security posture well beyond initial onboarding.

First Name ^*
Last Name ^*
Email ^*
Phone
Company ^*
Country ^*

Description