Full Report
An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager. [...]
Analysis Summary
# Tool/Technique: Syncro RMM Agent
## Overview
The Syncro RMM agent is a legitimate remote monitoring and management tool being co-opted by threat actors as a delivery mechanism following a phishing attack targeting password manager users. Its primary purpose in this context is to establish a foothold and deploy secondary remote access tools, specifically ScreenConnect.
## Technical Details
- Type: Tool
- Platform: Windows (Implied by binary delivery and common RMM targets, though Syncro supports multiple platforms)
- Capabilities: Establishing persistent communication with a C2 server, delivering secondary payloads (like ScreenConnect installer), potentially disabling local security solutions.
- First Seen: Context suggests ongoing activity around October 2025.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Windows Service
- TA0012 - Credential Access
- T1003 - OS Credential Dumping (via subsequent payload like ScreenConnect)
## Functionality
### Core Capabilities
- Installation of the Syncro MSP platform agent onto compromised endpoints.
- Establishing periodic check-ins (every 90 seconds observed in configuration).
- Hiding the system tray icon of the agent to evade detection and user awareness.
### Advanced Features
- Configuration appears limited by the threat actor, focusing only on necessary C2 communication.
- Configuration was observed to disable specific local security agents (Emsisoft, Webroot, and Bitdefender).
- Used as a staging mechanism to remotely deploy the ScreenConnect support tool.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Binary samples distributed via phishing links]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: Agent checks in with a server every 90 seconds (Details of the specific C2 server IPs/domains are not provided).
- Behavioral Indicators: Installation of an RMM agent that suppresses its UI element, communication pattern every 90 seconds, and explicit disabling of third-party EDR/AV agents.
## Associated Threat Actors
- Unspecified threat actors conducting phishing campaigns impersonating LastPass and Bitwarden.
## Detection Methods
- Signature-based detection: Detection signatures for the specific Syncro agent binary hashes deployed by the attackers.
- Behavioral detection: Monitoring for the installation of unknown or unauthorized RMM agents (like Syncro) running with suppressed UI elements, and monitoring for changes that disable security software (Emsisoft, Webroot, Bitdefender).
- YARA rules: [Not available in the text]
## Mitigation Strategies
- Avoid interacting with unsolicited security alerts, especially those demanding immediate action via download links.
- Always verify security alerts by logging into the service provider's official website or blog separately.
- Endpoint Detection and Response (EDR) solutions should monitor for the installation and execution of known RMM tools in unauthorized contexts.
- Harden systems against unauthorized software installation, particularly administrative tools.
## Related Tools/Techniques
- ScreenConnect (Used as the secondary remote access tool deployed by Syncro).
- RMM Tool Co-option (General technique of using legitimate remote administration software for malicious purposes).
---
# Tool/Technique: ScreenConnect
## Overview
ScreenConnect (now ConnectWise Control) is a legitimate remote support and access software. In this attack chain, it is delivered via the compromised Syncro RMM agent to provide persistent and interactive remote access to the victim's machine.
## Technical Details
- Type: Tool
- Platform: Windows (Implied)
- Capabilities: Providing remote desktop control, facilitating payload deployment, data exfiltration, and credential theft.
- First Seen: N/A (Used as the secondary payload).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- TA0008 - Lateral Movement
- T1550.002 - Use Remote Desktop Protocol
- TA0007 - Credential Access
- T1003 - OS Credential Dumping
## Functionality
### Core Capabilities
- Establishing a stable, interactive remote connection to the compromised endpoint.
- Allowing threat actors to bypass interactive login restrictions to access the machine.
### Advanced Features
- Enables remote command execution and deployment of subsequent malware payloads.
- Allows actors to potentially access cached vault data or steal credentials stored on the machine.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: ScreenConnect installer/files after deployment.
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: Network traffic associated with ScreenConnect/ConnectWise Control communication protocols (details not provided).
- Behavioral Indicators: Execution of remote desktop software initiated by the Syncro agent or unexpected connection attempts matching ScreenConnect patterns.
## Associated Threat Actors
- Unspecified threat actors using the phishing lure.
## Detection Methods
- Signature-based detection: Signatures for known ScreenConnect installers used in malicious contexts.
- Behavioral detection: Monitoring for installation or execution of remote access tools that were not provisioned through official IT channels.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- Restrict outbound firewall rules to explicitly allow only known, approved remote support tools.
- Implement strong egress filtering to block suspicious connections often utilized by remote access tools if they bypass standard controls.
- Monitor for configuration changes related to known remote access tools being installed or enabled.
## Related Tools/Techniques
- Syncro RMM (The delivery vehicle).
- TeamViewer, Splashtop (Other RMM/Remote Access tools mentioned as *not* being deployed in this specific variant).
---
# Technique: Password Manager Phishing Campaign (LastPass/Bitwarden Lure)
## Overview
A social engineering campaign uses fear, uncertainty, and doubt (FUD) by sending meticulously crafted phishing emails impersonating LastPass and Bitwarden, claiming recent security incidents. The goal is to trick victims into downloading and executing a binary disguised as a "more secure" updated client or MSI replacement.
## Technical Details
- Type: Technique (Phishing / Social Engineering)
- Platform: Email Clients, affecting users of LastPass and Bitwarden.
- Capabilities: High-fidelity impersonation, creation of false urgency, delivery of a malicious payload via landing pages.
- First Seen: Started over the Columbus Day holiday weekend (October 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (or Link leading to download)
- TA0000 - Reconnaissance
- T1589.001 - Gather Victim Identity Information (Impersonating Trusted Brands)
## Functionality
### Core Capabilities
- Spoofing email sender addresses (e.g., `hello@lastpasspulse[.]blog`, `[email protected]`).
- Using technical jargon in the lure (e.g., claiming an "outdated .exe format" weakness) to convince technically aware users.
### Advanced Features
- Timing the campaign execution to coincide with potential reduced staff presence (Columbus Day weekend).
- Cloudflare was actively blocking the landing pages at the time of reporting, suggesting common hosting/redirection infrastructure was used.
## Indicators of Compromise
- File Hashes: [Not explicitly provided for the initial phishing binary]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators:
- LastPass Fake Sender: `hello@lastpasspulse[.]blog`, `hello@lastpasjournal[.]blog`
- Bitwarden Fake Sender: `[email protected]`
- Initial landing pages were being blocked by Cloudflare access rules.
- Behavioral Indicators: Receiving security alerts from password managers that require immediate action via an external download link.
## Associated Threat Actors
- Unspecified threat actors.
## Detection Methods
- Email filtering rules blocking known malicious sender domains or new domains attempting to mimic established brands.
- User training focused on verifying security alerts through official channels only.
## Mitigation Strategies
- Never trust security alerts that mandate downloading software from an embedded link in an email; navigate directly to the official site.
- Block emails originating from newly registered domains that attempt to establish trust using established service names.
- Users must be educated that legitimate password managers will never ask for the vault master password, even in security alerts.
## Related Tools/Techniques
- 1Password Phishing Campaign (Similar lure used recently but with different technical indicators).