Phishing Campaigns Impersonate LastPass to Steal Credentials and Deploy Remote Access Tools
Threat actors have launched sophisticated phishing campaigns impersonating LastPass to trick users into revealing their master passwords and, in some cases, to install remote access tools. One campaign, attributed to the financially motivated group CryptoChameleon (UNC5356), sends emails claiming a family member has requested access to the victim's LastPass vault via a fabricated death certificate, exploiting the service's emergency access feature. Victims are directed to fraudulent sites mimicking LastPass, where they are prompted to enter their credentials or passkeys. In some instances, attackers have also called victims while posing as LastPass staff to further legitimize the scam.
A separate but related campaign targets users of both LastPass and Bitwarden with fake breach notifications, urging them to download a "secure" desktop version of the password manager. The download actually installs the Syncro remote monitoring and management (RMM) tool, which is then used to deploy ScreenConnect for remote access. This allows attackers to steal data, deploy additional malware, and potentially access password vaults. Both LastPass and Syncro have taken steps to warn users and disrupt the malicious infrastructure, emphasizing that no legitimate communication will ever request a master password and advising users to verify suspicious emails.
Sources
Related Stories
Phishing Campaign Impersonates LastPass and Bitwarden to Distribute Remote Access Tools
Threat actors have launched a sophisticated phishing campaign targeting users of the password managers LastPass and Bitwarden. The attackers send well-crafted emails that falsely claim LastPass or Bitwarden has suffered a security breach, urging recipients to download a new, supposedly more secure desktop version of the password manager. These emails are designed to create a sense of urgency and exploit social engineering tactics, with the goal of tricking users into downloading a malicious binary. Upon execution, the binary silently installs Syncro, a remote monitoring and management (RMM) tool commonly used by managed service providers. Once Syncro is installed, the attackers use it to deploy ScreenConnect, a remote support and access software, enabling them to further compromise the victim's system. This access allows the threat actors to deliver additional malware, steal data, and potentially compromise password vaults stored on the affected machines. The phishing emails are sent from addresses such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’, and they mimic official security alerts from LastPass and Bitwarden. The messages claim that older .exe installations of the password managers are vulnerable and that users must upgrade to a new MSI installer to protect their vault data. LastPass has publicly denied any breach of its systems, clarifying that the emails are fraudulent and part of a social engineering scheme. The campaign began over a weekend, likely to take advantage of reduced staffing and slower detection during the holiday period. Bitwarden users have also been targeted with similar phishing emails, indicating a broad scope for the campaign. The attackers' use of legitimate remote access tools like Syncro and ScreenConnect makes detection and remediation more challenging for victims. The campaign follows a similar pattern to previous phishing attacks against users of other password managers, such as 1Password. Security experts warn that the use of trusted brand names and plausible security narratives increases the likelihood of user compromise. Organizations are advised to educate users about the risks of unsolicited security alerts and to verify any requests for software updates directly with the vendor. The incident highlights the ongoing threat posed by phishing campaigns that leverage trusted brands and remote access tools to gain control over user systems and sensitive data. Both LastPass and Bitwarden have issued statements to reassure users and provide guidance on identifying and avoiding these phishing attempts. The campaign demonstrates the evolving tactics of cybercriminals in targeting password manager users, who often have access to highly sensitive credentials. Security teams should monitor for unauthorized installations of RMM tools and implement controls to prevent lateral movement and data exfiltration. The incident underscores the importance of layered security defenses and user awareness training in mitigating the impact of phishing attacks.
5 months agoPhishing Campaign Exploits LastPass Legacy Inheritance Process
Threat actors from the group **CryptoChameleon** have launched a sophisticated phishing campaign targeting *LastPass* users by exploiting the password manager's legitimate legacy inheritance process. Victims receive emails falsely claiming that a family member has submitted a death certificate to gain access to their password vault, with urgent instructions to respond if the recipient is not deceased. The phishing emails contain links to fake LastPass pages designed to steal users' master passwords, and in some cases, attackers have posed as LastPass staff via phone calls to further pressure victims into divulging credentials. The campaign leverages convincing social engineering tactics, including the use of agent ID numbers and passkey-themed phishing domains such as `mypasskey[.]info` and `passkeysetup[.]com`. Attackers also mimic sign-in pages for Gmail, iCloud, Okta, and Outlook to target users' cryptocurrency wallets on platforms like Binance, Coinbase, Kraken, and Gemini. LastPass has warned that these phishing sites are increasingly focused on stealing passkeys, reflecting both the growing adoption of passkeys and their value in protecting high-value assets. Users are advised to remain vigilant and avoid interacting with suspicious emails or providing credentials on unfamiliar sites.
4 months ago
LastPass Phishing Campaign Using Spoofed Support Threads and Fake SSO Pages
LastPass warned of an active **phishing campaign** using spoofed “security alert” and “support thread” emails that claim unauthorized access, master password changes, vault export attempts, account recovery, or new device registration. The messages abuse **display-name spoofing** (e.g., “LastPass Support”) to hide unrelated sender addresses—often from compromised sites or abandoned domains—and use urgent calls to action such as “report suspicious activity,” “disconnect and lock vault,” and “revoke device” to drive clicks. Victims who follow the links are directed to a fake LastPass SSO/login page hosted primarily on `verify-lastpass[.]com`, with additional lookalike/modified URLs redirecting to the same credential-harvesting site, aiming to steal users’ **master passwords** and account credentials. LastPass stated its own infrastructure was **not compromised**, is working with partners to take down the phishing domains, and reiterated it will **never** ask users for their master password; users are advised to report suspicious LastPass-branded emails to `abuse@lastpass.com`.
1 weeks ago