A new report from WithSecure provides some important reminders and clarification about the security risks of search ads, even those served by the world’s biggest tech outfits. The report documents a recent rash of ransomware attacks, spanning at least eight months, initiated by a fake version of the KeePass password manager that was spread through Microsoft ads.
The incident illustrates how well “malvertising” can work even on trusted search sites, and how open source projects can be abused to smuggle trojans past standard security scans. And unfortunately there are no perfect solutions to screening these attacks out save adequate phishing training; in this case, there were several very visible clues that indicated the malicious ad should not be clicked on.
Malvertising campaign used multiple known brands to open door for ransomware attacks
The malicious ads were primarily displayed through Bing searches, but also may have appeared in DuckDuckGo searches due to an advertising partnership with Microsoft. It is unclear how the ads evaded the usual screening process for threats, particularly when they included the malicious URL (aenys[.]com) in plain text for the user to see. This same URL was also used to drive multiple brand impersonations including Sallie Mae, DEX Screener and the Phantom crypto wallet.
Those that did not take note of the clues that something was amiss would be redirected to a fake KeePass download page that itself had further clues something was wrong, primarily incorrect version numbers of the password manager being listed. Installing it then opened the door to both ransomware attacks and exfiltration of any data entered into the password database.
Other clues in the malicious Bing ads include the advertiser identity not being in English (though the rest of the ad and the download page is) and a number of grammatical errors throughout. There is more than enough present for someone aware of phishing tactics to be put on alert if they are scrutinizing the text carefully, but the fact that the ads made it into the Microsoft ad network and appeared alongside Bing searches likely created a certain level of automatic trust.
Code modification of password manager likely to slip by usual security scans
The researchers first discovered a KeeLoader in the wild (via a compromised client) in February 2025 and traced it to a campaign lasting for at least eight months and compromising multiple targets. The attackers are not yet identified, but made use of Black Basta and BlackCat ransomware yet at times left spoofed notes in an apparent attempt to make it appear that Akira ransomware was to blame. The researchers believe this points to at least some former Black Basta members going in a new direction after their group was thrown into disarray in late 2024 by a combination of law enforcement action and internal leaks, though that group has also since resurfaced.
Aside from language issues and a readily visible attack URL, another warning sign is that the fake password manager is presented as “KeePass-2.56-Setup.exe” if a user goes so far as to initiate the download. This version of KeePass was replaced in mid-2024 and is now several version numbers out of date. The malware is much easier to detect prior to installation rather than detect and deal with in place once on a target system. It installs an encrypted Cobalt Strike payload that is used for future ransomware attacks at the discretion of the hackers, and it is very difficult to detect in a security sandbox until they manually activate it.
The fake password manager’s malicious elements are also difficult to detect as the attackers took KeePass’s open source code and rebuilt it with the payload and exfiltration tool built in, in such a way that security scanning software would likely not catch it (at least until updated due to this public disclosure).
The takeaway from all of this is that malvertising remains a real possibility even on the biggest ad networks (Google and Facebook have experienced numerous issues in recent years as well), and ads must be scrutinized as carefully as emails, messages and web pages before clicking on anything. It is also a reminder of the ease with which open source tools can be maliciously modified, and that anything involving a password database is going to receive a great deal of attention from the world’s most creative attackers!
