Phishing Campaign Targets LastPass and Bitwarden Users

Published Date: October 16, 2025
Category: ShadowOpsIntel
Share:

A recent phishing campaign is targeting users of LastPass and Bitwarden password managers, using fake breach alerts to distribute malware. These phishing emails impersonate the companies, urging users to download a more secure desktop application, but instead lead to the installation of malicious software that grants remote access to attackers.

Severity: High

Threat Details

  • The Lure: Phishing emails falsely claim that LastPass and Bitwarden have been hacked, urging recipients to download a supposedly more secure desktop version of the password manager.
  • Timing: The campaign was launched during a holiday weekend, a common tactic to delay detection and response due to reduced staffing.
  • The Subject Lines of the emails, such as “We Have Been Hacked – Update Your LastPass Desktop App to Maintain Vault Security,” create urgency to convince users to act quickly.
  • The emails use deceptive sender addresses like hello@lastpasspulse[.]blog and hello@bitwardenbroadcast[.]blog and include links to fake websites that mimic official LastPass and Bitwarden domains.
  • Malware Deployment:
    • These sites trick users into downloading a malicious binary disguised as an app update.
    • This binary installs the Syncro MSP platform agent to deploy the ScreenConnect remote support and access software.
    • The Syncro agent is installed with parameters to hide its system tray icon, keeping the user unaware of the new tool, and its main purpose appears to be deploying ScreenConnect for remote access to the compromised PC.
    • The configuration of the malware also includes disabling security agents like Emsisoft, Webroot, and Bitdefender.

Recommendations

  1. Always verify the authenticity of emails, especially those claiming urgent security alerts. Do not click on links in unsolicited emails. Instead, manually visit the official website of the service (e.g., LastPass or Bitwarden) and check for any updates or notifications.
  2. Conduct regular phishing awareness training to help users identify phishing attempts.
  3. Always enable multi-factor authentication for password managers and other sensitive accounts.
  4. Keep all software up to date, especially password managers like LastPass and Bitwarden, to avoid exploitation of known vulnerabilities.
  5. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/7926460c6463fd27526e81d80d7a8c8e21d0e887c1fc2833c86ad334dd9c1fca/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.