Hackers Hacked Passwordstate Update Mechanism to send Malware

Malicious updates were distributed between April 20-22 this year.


Unknown attackers compromised the update mechanism of the corporate password manager Passwordstate and used it to install malware on users' systems.

Passwordstate developer Click Studios has already sent out incident notification emails to their customers . According to data on the Click Studios website, its client list includes 29 thousand companies around the world, including government organizations, as well as firms in the defense, financial, aerospace and other sectors.

According to the notification, malicious updates were distributed between April 20-22. As the investigation showed , the cybercriminals compromised the In-Place Upgrade function and used it to send a malicious update, which is a zip archive “Passwordstate_upgrade.zip” containing the malicious DLL “moserware.secretsplitter.dll”. Once installed, the malware, dubbed Moserware, contacted the C&C server to request new commands and additional payloads.

At the moment, it is unclear what additional malicious modules were loaded on the compromised systems and what actions the attackers took, since they shut down their C&C server immediately after detecting a breach.

Click Studios has already released a malware removal hotfix. Experts recommend that Passwordstate users reset all passwords stored in the manager as soon as possible, especially for VPNs, firewalls, switches, servers, and local accounts.