- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
Malicious KeePass Installer Used to Deploy Ransomware on VMware ESXi
A new cyberattack campaign is leveraging a trojanized version of the KeePass password manager to deploy ransomware on VMware ESXi servers. The malware, dubbed KeeLoader, was spread through malicious Bing ads that redirected users to typo-squatted domains like keeppaswrd[.]com and keegass[.]com. These fake websites closely resembled the legitimate KeePass download page, tricking users into downloading a weaponized installer.
KeeLoader retained full KeePass functionality but contained hidden payloads. It was signed with a valid certificate to appear trustworthy. Once installed, it deployed a Cobalt Strike beacon—disguised as an encrypted JPG file—and created persistence using registry keys. As users accessed their KeePass databases, the malware exported credentials in plain text to the local app data folder as .kp files.
The beacon’s unique watermark ties it to an Initial Access Broker linked to Black Basta ransomware. The campaign facilitated lateral movement and ransomware deployment on ESXi hosts. Infrastructure analysis revealed overlaps with both BlackCat/ALPHV and Akira, suggesting collaboration or ransomware-as-a-service usage.
Attackers also impersonated other brands like WinSCP and Phantom Wallet using Namecheap-registered domains hosted via Cloudflare. This campaign demonstrates how trusted tools can be used as attack vectors and highlights the dangers of malvertising and supply chain compromise in modern ransomware operations.
#KeePass #KeeLoader #Ransomware #CyberSecurity #VMware #ESXi #MalwareAlert #CobaltStrike #SupplyChainAttack #InfoSec #Malvertising #CredentialTheft #BlackBasta #BlackCat #CyberAttack #HackingNews #ITSecurity #SecurityBreach #InitialAccessBroker #FakeSoftware
FIND US AT
https://dailysecurityreview.com/
FOLLOW US ON SOCIAL
Get updates or reach out to Get updates on our Social Media Profiles!
Twitter: https://twitter.com/securitydailyr
Facebook: https://www.facebook.com/profile.php?id=100086307206534
LinkedIn: https://www.linkedin.com/company/security-daily-review
Видео Malicious KeePass Installer Used to Deploy Ransomware on VMware ESXi канала Security Daily Review
KeeLoader retained full KeePass functionality but contained hidden payloads. It was signed with a valid certificate to appear trustworthy. Once installed, it deployed a Cobalt Strike beacon—disguised as an encrypted JPG file—and created persistence using registry keys. As users accessed their KeePass databases, the malware exported credentials in plain text to the local app data folder as .kp files.
The beacon’s unique watermark ties it to an Initial Access Broker linked to Black Basta ransomware. The campaign facilitated lateral movement and ransomware deployment on ESXi hosts. Infrastructure analysis revealed overlaps with both BlackCat/ALPHV and Akira, suggesting collaboration or ransomware-as-a-service usage.
Attackers also impersonated other brands like WinSCP and Phantom Wallet using Namecheap-registered domains hosted via Cloudflare. This campaign demonstrates how trusted tools can be used as attack vectors and highlights the dangers of malvertising and supply chain compromise in modern ransomware operations.
#KeePass #KeeLoader #Ransomware #CyberSecurity #VMware #ESXi #MalwareAlert #CobaltStrike #SupplyChainAttack #InfoSec #Malvertising #CredentialTheft #BlackBasta #BlackCat #CyberAttack #HackingNews #ITSecurity #SecurityBreach #InitialAccessBroker #FakeSoftware
FIND US AT
https://dailysecurityreview.com/
FOLLOW US ON SOCIAL
Get updates or reach out to Get updates on our Social Media Profiles!
Twitter: https://twitter.com/securitydailyr
Facebook: https://www.facebook.com/profile.php?id=100086307206534
LinkedIn: https://www.linkedin.com/company/security-daily-review
Видео Malicious KeePass Installer Used to Deploy Ransomware on VMware ESXi канала Security Daily Review
Комментарии отсутствуют
Информация о видео
20 мая 2025 г. 13:15:08
00:04:37
Другие видео канала
