Phishing Campaign Targets Master Passwords of Top Managers
In recent weeks, a surge of phishing campaigns has emerged in which attackers impersonate popular password managers — LastPass, Bitwarden, and 1Password. Their objective is to deceive users into revealing their master password, the single key granting access to all stored credentials, including those of corporate systems. The attacks exploit a foundation of trust, as such services are widely regarded as the most secure vaults of one’s digital identity.
Users of LastPass and Bitwarden began receiving counterfeit emails warning of alleged breaches. The recipients were urged to download a “new secure version” of the desktop application — which, in reality, installs Syncro, a legitimate remote monitoring and management (RMM) tool typically used by IT service providers to support clients. Through this agent, attackers subsequently deploy another program — ScreenConnect — granting them full remote control over compromised devices.
According to an official LastPass advisory, the company has not suffered a breach; the emails are a classic case of social engineering. These fake messages originate from domains such as “hello@lastpasspulse[.]blog” and “hello@lastpasjournal[.]blog”, crafted with convincing language referencing “vulnerable .exe installers” and urging users to “migrate to the new MSI format.” The messages claim that older versions might allow unauthorized access to cached password data, thus encouraging recipients to download a “safer” build “as a precaution.” The campaign launched over the Columbus Day holiday weekend, likely timed to exploit reduced staffing and slower response from security teams.
Bitwarden has fallen prey to the same scheme. From “hello@bitwardenbroadcast[.]blog”, users received nearly identical messages prompting installation of an “enhanced desktop application.” Cloudflare has since blocked access to these phishing sites, flagging them as fraudulent.
Experts who examined the binaries attached to the emails found them to be identical. The Syncro RMM agent is launched with parameters that conceal its system tray icon, ensuring the user remains unaware of the new background process. Its configuration is minimal: it connects to a remote server every 90 seconds, lacks built-in remote access features, and does not activate other RMM tools like Splashtop or TeamViewer. More alarmingly, it disables antivirus agents including Emsisoft, Webroot, and Bitdefender, leaving the system defenseless.
The primary purpose of the installation is to download and execute ScreenConnect, granting attackers the ability to control the device remotely, deploy malware, and exfiltrate credentials — including those stored within encrypted vaults. A separate phishing wave has targeted 1Password users since late September, with emails titled “Your password has been compromised” sent from “watchtower@eightninety[.]com.” The embedded link redirected via Mandrillapp to “onepass-word[.]com,” where victims were prompted to enter their secret key and master password. Analysts at Malwarebytes confirmed that this campaign was independent of the attacks on LastPass and Bitwarden, though it exploited the same psychology of fear and misplaced trust.
All three companies emphasize that they never request master passwords nor distribute updates via email. Users are urged to verify all security notifications exclusively through official websites and blogs. On October 16, Syncro’s developers also released a statement clarifying that their platform was not compromised — the attackers had fraudulently registered as an MSP partner and exploited legitimate installation mechanisms for malicious purposes. The rogue accounts were promptly terminated, and all deployments through them were suspended.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
