An ongoing phishing campaign targeted LastPass users via fake emails claiming the company was hacked, urging them to download a malicious desktop version of the password manager. The attack exploited social engineering tactics, impersonating LastPass with urgency-driven messages from domains like ‘hello@lastpasspulse[.]blog’. The downloaded binary installed **Syncro**, a legitimate remote monitoring tool repurposed to deploy **ScreenConnect**, granting attackers persistent remote access. While LastPass confirmed no breach occurred, the campaign aimed to steal vault credentials by tricking users into installing malware disguised as a security update. The threat actors leveraged reduced holiday staffing (Columbus Day weekend) to delay detection. Cloudflare later blocked the phishing landing pages, but the attack demonstrated sophisticated use of legitimate tools (Syncro/ScreenConnect) to bypass defenses, disable security agents (Emsisoft, Webroot, Bitdefender), and exfiltrate sensitive data from compromised endpoints.
TPRM report: https://www.rankiteo.com/company/lastpass
"id": "las3302433101625",
"linkid": "lastpass",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Unknown (targeted users)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'LastPass',
'type': 'Password Manager Provider'},
{'customers_affected': 'Unknown (targeted users)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'Bitwarden',
'type': 'Password Manager Provider'},
{'customers_affected': 'Unknown (targeted users)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': '1Password',
'type': 'Password Manager Provider'},
{'industry': 'Multiple',
'location': 'Global',
'name': 'End Users',
'type': 'Individuals/Organizations'}],
'attack_vector': ['Email Phishing',
'Malicious Binary Download',
'Legitimate Tool Abuse (Syncro MSP, ScreenConnect)'],
'customer_advisories': ['Do not download software from email links; always '
'use official app stores or websites.',
'Report phishing emails to the password manager '
'provider and email service.',
'Check for unusual activity in password vaults or '
'connected devices.',
'Never share master passwords or 2FA codes, even if '
'prompted by seemingly official emails.'],
'data_breach': {'data_exfiltration': 'Likely (if threat actors accessed '
'vaults or deployed additional malware)',
'personally_identifiable_information': 'High risk (if stored '
'in password vaults)',
'sensitivity_of_data': 'High (passwords, potentially payment '
'info, PII)',
'type_of_data_compromised': ['Potential password vault '
'credentials',
'System access (via '
'ScreenConnect)',
'User activity logs']},
'date_detected': '2023-10-09T00:00:00Z',
'date_publicly_disclosed': '2023-10-09T00:00:00Z',
'description': 'An ongoing phishing campaign is targeting users of LastPass, '
'Bitwarden, and 1Password with fake emails claiming that the '
'companies were hacked. The emails urge recipients to download '
'a supposedly more secure desktop version of the password '
'manager, which instead installs the Syncro remote monitoring '
'and management (RMM) tool. This tool is then used to deploy '
'ScreenConnect, granting threat actors remote access to '
'compromised systems. The campaign exploits social engineering '
'tactics, including urgency and impersonation of official '
'communications, to trick users into executing malicious '
'binaries. Cloudflare is currently blocking access to the '
'phishing landing pages.',
'impact': {'brand_reputation_impact': ['Moderate (due to impersonation of '
'trusted brands)',
'Erosion of user trust in email '
'communications from password '
'managers'],
'customer_complaints': 'Likely (users reporting phishing attempts '
'or compromised accounts)',
'data_compromised': ['Potential access to password vaults via '
'saved credentials',
'System metadata',
'User activity monitoring'],
'identity_theft_risk': 'High (if password vaults are accessed)',
'operational_impact': ['Potential account takeovers',
'Follow-on attacks (e.g., lateral movement, '
'ransomware)',
'Increased helpdesk/support load due to '
'user reports'],
'payment_information_risk': 'High (if payment details are stored '
'in compromised vaults)',
'systems_affected': ['End-user devices (Windows, possibly macOS)',
'Password manager applications (if '
'credentials were exposed)']},
'initial_access_broker': {'backdoors_established': ['Syncro MSP agent (hidden '
'system tray icon)',
'ScreenConnect remote '
'access tool'],
'data_sold_on_dark_web': 'Potential (if credentials '
'are exfiltrated and sold)',
'entry_point': 'Phishing emails with malicious '
'binary attachments (disguised as '
'password manager updates)',
'high_value_targets': ['Password vault credentials',
'Saved payment information',
'Corporate/enterprise users '
'with elevated access'],
'reconnaissance_period': 'Likely minimal '
'(opportunistic campaign '
'targeting broad user '
'base)'},
'investigation_status': 'Ongoing (analysis of malware samples and phishing '
'infrastructure)',
'lessons_learned': ['Threat actors increasingly abuse legitimate tools (e.g., '
'Syncro, ScreenConnect) to evade detection.',
'Social engineering remains highly effective, especially '
'when exploiting urgency (e.g., fake security alerts).',
'Holiday weekends are prime targets for phishing '
'campaigns due to reduced staffing.',
'User education on verifying official communications is '
'critical, even for security-savvy audiences.',
'Password manager users are high-value targets due to the '
'sensitivity of stored credentials.'],
'motivation': ['Financial Gain',
'Credential Theft',
'Data Exfiltration',
'Potential Follow-on Attacks (e.g., ransomware, fraud)'],
'post_incident_analysis': {'corrective_actions': ['Enhanced email filtering '
'for impersonation attacks '
'targeting password '
'managers.',
'Blocklist known malicious '
'domains (e.g., '
'lastpasspulse[.]blog, '
'bitwardenbroadcast.blog).',
'User training on verifying '
'software updates and '
'security alerts.',
'Restrict execution of '
'unauthorized RMM tools via '
'endpoint protection.',
'Monitor for unusual '
'installations of '
'ScreenConnect or Syncro '
'agents.'],
'root_causes': ['Lack of user awareness about '
'phishing tactics impersonating '
'trusted brands.',
'Abuse of legitimate RMM tools '
'(Syncro, ScreenConnect) to bypass '
'security controls.',
'Exploitation of psychological '
'triggers (urgency, fear) in email '
'lures.',
'Timing of campaign during holiday '
'weekend to delay '
'detection/response.']},
'recommendations': ['Always verify security alerts by logging into official '
'websites (not via email links).',
'Enable multi-factor authentication (MFA) for password '
'managers and associated email accounts.',
'Use hardware security keys where possible to mitigate '
'phishing risks.',
'Monitor for unusual activity in password vaults (e.g., '
'unexpected logins or changes).',
'Organizations should block or restrict unauthorized RMM '
'tools (e.g., Syncro, ScreenConnect) unless explicitly '
'whitelisted.',
'Deploy email security solutions to detect and quarantine '
'phishing messages impersonating trusted brands.',
'Conduct regular phishing simulations to train users on '
'recognizing social engineering tactics.'],
'references': [{'date_accessed': '2023-10-09',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'date_accessed': '2023-10-09',
'source': 'LastPass Threat Alert'},
{'date_accessed': '2023-10-09',
'source': 'Malwarebytes (1Password campaign analysis)',
'url': 'https://www.malwarebytes.com'},
{'date_accessed': '2023-09-25',
'source': 'Hoax-Slayer (1Password phishing report)'}],
'response': {'communication_strategy': ['LastPass blog post clarifying no '
'breach occurred',
'Media coverage by BleepingComputer '
'and Malwarebytes',
'Social media warnings'],
'containment_measures': ['Cloudflare blocking phishing domains '
'(lastpasspulse[.]blog, '
'lastpasjournal[.]blog, '
'bitwardenbroadcast.blog, '
'onepass-word[.]com)',
'Public advisories from LastPass and '
'cybersecurity researchers'],
'incident_response_plan_activated': ['LastPass issued a threat '
'alert',
'Cloudflare blocked '
'phishing landing pages'],
'remediation_measures': ['User education on verifying official '
'communications',
'Encouragement to report phishing '
'attempts'],
'third_party_assistance': ['Cloudflare (blocking phishing pages)',
'Malwarebytes (analysis of 1Password '
'campaign)']},
'stakeholder_advisories': ['LastPass: Clarified no breach occurred; urged '
'users to ignore fake emails.',
'Bitwarden: No official statement yet (as of '
'report).',
'1Password: No official statement yet (as of '
'report).',
'Cybersecurity community: Shared indicators of '
'compromise (IoCs) and tactical advice.'],
'title': 'Ongoing Phishing Campaign Targeting LastPass, Bitwarden, and '
'1Password Users with Fake Security Alerts',
'type': ['Phishing',
'Social Engineering',
'Malware Distribution',
'Remote Access Trojan (RAT)'],
'vulnerability_exploited': 'User trust in brand communications; exploitation '
'of psychological urgency and fear tactics. No '
'technical vulnerabilities in LastPass, Bitwarden, '
'or 1Password systems were exploited.'}