Phishers Hijack Trust in Password Managers to Drop Remote Access Malware

In a daring escalation of credential-based social engineering, threat actors are now masquerading as security updates for widely used password managers to surreptitiously implant remote access tools on target machines. The scheme — currently attacking LastPass and Bitwarden users — represents a shift from credential-harvesting phish to full device hijack via trusted infrastructure.

The Scam in Detail: Disguised as a Safe Update

Beginning over the recent holiday weekend, users began receiving well-crafted emails purporting to be breach alerts from LastPass or Bitwarden. Recipients are told that their client software (especially older .exe installs) is vulnerable, and urged to download a “more secure” desktop version purportedly built as an MSI installer.

Of course, no legitimate update is ever delivered. Instead, the binary distributed quietly installs Syncro, a remote monitoring and management (RMM) agent commonly used by managed service providers (MSPs). Once installed, Syncro is used to deploy ScreenConnect, a legitimate remote support tool, granting the attackers hidden remote control over the compromised endpoint.

To avoid detection, the malware suppresses its system tray icon and disables defenses: the extracted Syncro configuration was found to disable host protections from Emsisoft, Webroot, and Bitdefender, and strip out modules for Splashtop or TeamViewer. The agent checks in every 90 seconds, enabling persistent access.

What’s particularly clever (and sinister) is the abuse of otherwise legit tooling. Syncro and ScreenConnect are valid remote support programs. The attackers have simply weaponized them, limiting functions to stealth and persistence.

The Companies Push Back

Unsurprisingly, LastPass was swift to deny any breach. In a security advisory, the company clarified:

They also note that the campaign began during a holiday period—presumably a deliberate choice to exploit lowered staffing and slower response times.

Bitwarden has also been spoofed. Phishing messages from domains like hello@bitwardenbroadcast.blog mimic the same style, warning users of a supposed breach and urging them to install a secure client.

The domain names used in the scam also betray their falsehood. Emails emanate from domains such as lastpasspulse.blog, lastpasjournal.blog, and bitwardenbroadcast.blog — not official LastPass or Bitwarden addresses.

Meanwhile, the Syncro service released a brief statement noting that it had identified and disabled the malicious accounts used in the campaign. The company emphasized it was not itself compromised, but rather that a miscreant had posed as an MSP to exploit the platform.

What Makes This More Dangerous

What sets this attack apart from classic password manager phishing is the degree of control beyond credential theft. Once the attacker has remote access, they can install additional malware, extract files, harvest saved credentials, and potentially pivot laterally across the user’s digital environment.

In effect, it turns a phishing click into a full system takeover. Even if users did not store their vault master password on the device, any open sessions or cached data become exposed. Moreover, defenses that rely on antivirus or endpoint protection can be neutralized by the attacker’s disabling of those protections.

This is not just a “vault compromise” attack — it’s a “vault + system compromise” attack.

Defending Against the New Phishing Paradigm

1. Never trust emailed update prompts. A best practice is to ignore download links in emails. If something seems off, navigate manually to the vendor’s website or app store to check for legitimate announcements or security advisories.

2. Verify the source domain. Real LastPass or Bitwarden alerts will come from official domains. Anything from .blog, .com variants, or suspicious subdomains is a red flag.

3. Use device-level protections and EDRs. Even if an attacker installs remote tools, sophisticated endpoint detection and response systems may detect anomalous behavior. Whatever you do, avoid disabling those protections.

4. Rotate master credentials from a clean device. If you suspect compromise, change your master vault password from a device you believe is uncompromised. Revoke active sessions and regenerate high-value credentials.

5. Monitor for lateral behavior. Be alert for unusual remote sessions, rogue processes, or new programs installed without your consent.

Max Gannon, Cyber Intelligence Team Manager at Cofense, framed it succinctly:

With this campaign, the attackers have proven that the phishing arms race continues to evolve. They’re no longer just tricking users into entering credentials — they’re quietly hijacking systems, all under the guise of security.