In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
When the 3CX desktop app was compromised in a trojanized cyberattack in 2023, it totally took the softphone application provider off guard. In computing, not everything is what it appears to be on the screen. Sometimes, a familiar face can have a hidden sting, and a simple download can be malware in disguise.
Threat actors are continuously spreading their fangs, with many now weaponizing trusted software applications to push ransomware attacks. This trend was captured in a recent research by WithSecure’s Threat Intelligence team, which found that a popular password manager, KeePass, has been compromised, with bad actors distributing trojanized versions of the application for at least eight months.
While the spread of malware by cybercriminals didn’t start today, their recent sinister attacks involving the trojanization of trusted apps call for great concern.
Key Takeaways
- Trusted software like KeePass is being weaponized by cybercriminals through trojanized versions.
- WithSecure discovered that attackers altered KeePass’s source code and spread it via Bing malvertising.
- These fake ads led users to realistic-looking download pages, tricking them into installing malware.
- The malware used signed binaries and stealthy payloads to evade detection.
- Users should avoid downloading software from unverified ads and rely on trusted sources.
What Is Trojanized Software?
This refers to legitimate software that has been maliciously modified to include a Trojan horse — a type of malware that performs hidden, unauthorized actions on a computer system. A trojanized software may appear to work as expected, but in the background, it can steal your data, install additional malware, give attackers remote access, or even spy on your activities.
How Trusted Tools Like KeePass Are Trojanized
Software is usually very complex. A simple application can contain thousands or even millions of code lines. This complexity makes it hard to inspect everything, often leading to malware distributed undetected.
When a software is open-source, the vulnerability increases even further, since the tool can be inspected by anyone, including those with malicious intent.
Open-source tools, like KeePass, were found at the center of a malicious campaign during a February 2025 ransomware investigation conducted by WithSecure’s incident response team. The report revealed that a trojanized version of the KeePass password manager had been used to facilitate a ransomware attack on the company’s VMware ESXi servers.
Unlike previous attacks where malicious elements were bundled with legitimate software, WithSecure researchers say this campaign went further by altering the actual source code of KeePass.
According to their findings, the modified version was signed with trusted certificates and distributed through malvertising campaigns on Bing, leading to installations across several WithSecure customers.
Timothy West, Director, Threat Intelligence & Outreach at WithSecure, said:
“Attacks such as this pose a real challenge for network defenders. Undetected malware, propagated through adverts on trusted search engines, evades both human suspicion and technical controls.”
WithSecure linked the Cobalt Strike watermarks used in this campaign to Black Basta, a prolific Initial Access Broker (IAB) responsible for several high-profile ransomware breaches over the past two years.
“There is almost certainly a significant number of victims related to this KeePass campaign, which we believe to be undocumented and ongoing,” West added.
How Cybercriminals Spread This Malicious Software
For a successful Trojan campaign, cybercriminals don’t need to build malware from scratch; they can wrap it in the skin of software you already trust and then promote it aggressively through legitimate-looking channels like ads and certificates.
According to WithSecure’s report, attackers used different methods to ensure widespread infection of the KeePass password manager. Here’s how they were able to achieve this:
Brand Trust Abuse
Trojanized KeePass builds looked and behaved like the real application. This abuse of user trust makes the malware harder to detect and more likely to be installed willingly.
Malvertising
Threat actors often pay for search engine ads that lead users to fake download pages posing as legitimate software sites.
WithSecure’s researchers found that the malicious KeePass installer was initially spread through Bing advertisements. These ads appeared above genuine search results, boosting visibility and increasing the chances that users would click and install the trojanized software.
Chris Duggan, Head of Threat Informed Defence for a FSTE 100, took to his X platform page to highlight some of the campaign tactics the threat actors used in the KeePass compromise.
🚨 Keepass Campaign
🔥Domain: kee-password[.]com (0/94 VT)
🔥Redirects to: keepass-download[.]com (0/94 VT)🔥Links to malicious Github repo:
hxxps://github[.]com/keeppasss/keepass/raw/refs/heads/main/KeePass-2.56-Setup[.]exe🔥Drops:… pic.twitter.com/GoUXPLpWmV
— Chris Duggan (@TLP_R3D) May 19, 2025
Signed Binaries for Legitimacy
To bypass security filters, attackers may sign the trojanized binaries with valid digital certificates.
The WithSecure team found that multiple variants of KeePass’s KeeLoader were signed with legitimate certificates and spread through typo-squatting domains like keeppaswrd[.]com, keegass[.]com, and KeePass[.]me.
This tactic reduced antivirus detection and bolstered the user’s confidence.
Stealthy Payloads
The KeePass malware contained a hidden loader (“KeeLoader”) for Cobalt Strike Beacons, a common post-exploitation tool. Since this component is activated only in memory and uses stealthy injection techniques, it avoids leaving artifacts on disk.
Long-Term Infrastructure
WithSecure found the Trojanized KeePass Ad campaign ran undetected for at least 8 months, and was supported by infrastructure connected to an Initial Access Broker. This implies that there was a deep planning and reuse across ransomware attacks.
How to Safeguard Against Trojanized Software
Trojans pose a big threat to computer systems due to their deceptive nature. To protect yourself, we’ve summarized a simple checklist to follow as recommended by Kaspersky security experts.
- Before opening any email attachment, verify the sender’s identity.
- Regularly install security updates for your operating system and all installed applications.
- Avoid enabling macros in Word and Excel files unless necessary, as they can execute malicious code.
- Refrain from clicking on links from unknown or untrusted sources.
- Avoid downloading programs from unsafe sources. Stick to the Play or Apple App stores if you’re on mobile.
- Install a reputable antivirus program and keep it updated.
- Ensure that your firewall is always active if you have one in place.
- Be skeptical of free software, especially if it seems too good to be true.
The Bottom Line
Don’t blindly trust advertisements. That’s probably the biggest lesson from the recent KeePass password manager breach.
The WithSecure research reveals that Trojans are as lethal as many other modern cyber attacks, such as DDoS, MitM, and Zero-Day exploits. The recent romance between threat actors and KeePass shows that even trusted applications are not spared.
As a computer user, you must protect yourself by making sure not to download programs from sources you don’t trust. Last but not least, think twice before clicking on advertisements on search engines.
FAQs
What is Trojan software?
Why do hackers use Trojans?
What measures can users put in place to protect themselves from a Trojan virus?
References
- KeePass trojanised in advanced malware campaign (Labs.WithSecure)
- WithSecure™ Uncovers Trojanised KeePass Campaign in Ransomware Investigation (WithSecure)
- What is a Trojan Horse Virus? Types and How to Remove it (Kaspersky)
