Password-Stealing Malware is Impersonating a Popular Password Manager

It's the latest reminder to pay extremely close attention to the URLs of domains you're downloading apps from.

Password-stealing malware ZenRAT is impersonating popular password manager Bitwarden and coaxing unsuspecting victims into downloading it in the process, a cybersecurity research team has found.

Windows users are the targets this time – users who try to download the software for other types of devices are redirected to a benign clone of an article about Bitwarden pulled from a tech website.

Worryingly, the malware appears to have been active since at least July.

Password Stealer Poses as Bitwarden

The Proofpoint threat research team published an investigation this week detailing how password-stealing malware ZenRAT is masquerading as password management service Bitwarden, which is used by hundreds of thousands of people worldwide.

Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, first shared a sample of this malware at the beginning of August. It was extracted from a malicious installation package downloaded from a landing page hosted on the domain “Bitwariden[.]com”.

The same malware installer had already been reported to VirusTotal back in July but was tracked under a different name.

How Does The Malware Infect Computers?

At the time of Proofpoint’s investigation, when users clicked “download” when navigating the landing page, a request was sent to crazygamesis[.]com which was the site hosting the malware at the time of the investigation – but this no longer appears to be the host, the research team say.

An inspection of the installation’s details found it was smuggling itself onto devices under the product name “Speccy”, a non-malicious software application.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special offer.See deal button

The “RAT” in ZenRAT stands for “Remote Access Trojan”, which allows threat actors to send commands to and receive data from infected devices. This means it can be used to steal information from devices that download it, including passwords.

Proofpoint say the malware gathered information about the target computer’s CPU Name, GPU Name, OS Version, RAM, IP address, and gateway, as well as antivirus programs and other applications the user had installed. It’s not clear, however, how traffic is being directed to the fake Bitwarden domain in the first place.

Windows Users Singled Out

The campaign targets Windows users specifically – those using other operating systems are redirected to a clone of an article on entitled “How to manage your passwords with Bitwarden, a LastPass alternative”.

Interestingly, back on the fake Bitwarden downloads page, users who select the Mac or Linux download option will be directed to the legitimate Bitwarden password manager site.

Whether or not you’re using Windows or not, if you’re downloading something from a page, you have to make sure it’s secure first. Always check the URL to see if you’ve made a mistake – hackers deliberately buy domains with URLs that are very similar to, but aren’t exactly the same, as well-known legitimate websites – they’re counting on the fact you won’t be paying close enough attention to realize.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Aaron Drapkin is a Lead Writer at He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals