# The dangerous malicious code under the password management software shell to deceive users and attack the system.

## **Overview**

Recently, the **FPT Threat Intelligence** team has recorded a series of dangerous cyberattacks targeting **VMware ESXi** server systems. Hackers have created fake KeePass websites using Punycode techniques to generate domains that look identical to the official KeePass domain. These websites are promoted through Google Ads campaigns, making them appear high in search results, tricking users into downloading malware instead of the legitimate KeePass version.

When users install and use these fake password managers, hackers launch Cobalt Strike attacks, steal credentials, and eventually deploy ransomware on the compromised network. Experts have found several websites distributing fake password managers such as **keeppaswrd\[.\]com, keegass\[.\]com, and KeePass\[.\]me.**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747878017670/d7bce0d3-9ebe-4593-a856-ae8a2e9eafbd.png align="center")

## **Campaign Objective**

* Steal internal credentials
    
* Establish covert entry points using Cobalt Strike
    
* Pave the way for other destructive activities like ransomware (especially ESXi)
    

## **Campaign Details**

1. **Distributed via malicious ads and fake domains**
    
    * Initially, hackers used malicious ad campaigns on search engines to direct users to fake KeePass websites, such as `keeppaswrd[.]com`, `keegass[.]com`, and `KeePass[.]me`. Here, users are encouraged to download a fake version of KeePass, which is actually **KeeLoader. Users will download an installation file containing malware named:** `KeePass-2.56-Setup.exe`.
        
        ![Fake KeePass site pushing trojanized installer](https://www.bleepstatic.com/images/news/malware/k/keepass/keepass-iab/keepass-malware-site.jpg align="center")
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747879371672/318282fc-7344-4f88-9f2b-0756c39be8e3.png align="center")
        
2. **Install malware**
    
    * As soon as users download and install **KeeLoader,** this malware drops two modified executable files (`KeePass.exe` and `ShInstUtil.exe`) into the `%localappdata%` directory. Here, hackers create a startup mechanism, meaning an autorun key in the registry is created, allowing `ShInstUtil.exe` to automatically run at system startup to maintain connections.
        
    * Then, the malware continues to load and execute a malicious file (`db.idx`) disguised as a JPG file to avoid detection by AV software and users, but it actually contains **RC4 encrypted shellcode**.
        
3. **Steal credentials**
    
    * **KeeLoader** is noted to have a C# code segment that performs **extraction and writing of information from the KeePass database**.
        
        ![Dumping KeePass credentials](https://www.bleepstatic.com/images/news/malware/k/keepass/keepass-iab/dumping-keepass-credentials.jpg align="center")
        
    * First, the data will be written to `MemoryStream`.
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747881402422/c8a52a97-201c-49f6-9332-21d77f820bd5.png align="center")
        
    * Then, a code segment is responsible for accessing **all password entries** in KeePass by traversing the group tree from the root. Each entry is processed by `entryHandler` (a delegate), which may have been programmed to write out user information.
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747881454161/6e128d44-d5eb-4cdf-9022-c9651d6a6444.png align="center")
        
    * The collected data will be written to a file in the `AppData\Local` directory with a random name (for example, `123.kp`).
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747881545906/f6ab021e-bbbc-4649-b361-a5375e610f06.png align="center")
        
    * Finally, after the information is collected, it will be sent out and receive commands from the hacker: deploy Cobalt Strike, continue exploitation, etc. Additionally, the hacker will steal passwords from KeePass to facilitate deeper infiltration and deploy ransomware to pave the way for targeted attacks on **ESXi** server systems.
        

## **Conclusion**

This campaign provides a clear example of **exploiting a trojanized legitimate tool** to achieve dangerous post-exploitation goals. With its sophisticated disguise and step-by-step process, organizations need to enhance their detection capabilities—especially with widely used open-source software.

## **Recommendations**

1. **Software Control and Integrity**
    
    * Compare the SHA256 hash with the official version from [https://keepass.info/integrity.html](https://keepass.info/integrity.html). Do not use versions from untrusted sources.
        
    * Only download software from the official website or repositories with clear digital signatures.
        
2. **Behavior and System Log Monitoring**
    
    * Monitor `.kp`, `.idx`, `.exe` files appearing in `AppData\Local\` or `Temp\`
        
    * Track KeePass.exe calling `ShInstUtil.exe` with the `--update` argument
        
3. **Enhance Endpoint Defense (EDR / AV)**
    
    * Set up policies to detect:
        
        * Unusual executable files from AppData
            
        * RC4 decryption activity
            
        * Process injection
            
    * Block suspicious domains/IPs such as: `cloudbackup[.]pw`, `update-checker[.]win`, beacons to port 80/443 with unusual SNI
        

## **IOC**

1. **Domain**
    
    * keeppaswrd\[.\]com
        
    * keegass\[.\]com
        
    * KeePass\[.\]me
        
    * cloudbackup\[.\]pw
        
    * update-checker\[.\]win
        
2. **IP**
    
    * 45.145.67.54
        
    * 185.212.200.113
        
    * 89.45.13.97
        
3. **Hash**
    
    * 8b386b89e614d3084c1da3c28e324fb2
        
    * 5e7ef2ab3c216be9a73efac7c36e7efc0dd7a9b2a5b5dff9b3b937e2cb3e9c9c
        
    * f43b889d2e0b2b9d5822d8492a1a9e1ac22f52c2cf26a23607f3a6677d7bc451
        

## **References**

1. [Fake KeePass password manager leads to ESXi ransomware attack](https://www.bleepingcomputer.com/news/security/fake-keepass-password-manager-leads-to-esxi-ransomware-attack/)
    
2. [Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials](https://securityonline.info/trojanized-keepass-used-to-deploy-cobalt-strike-and-steal-credentials/)
