Executive Summary

A new, highly targeted phishing campaign is exploiting the trusted reputations of LastPass and Bitwarden by distributing fraudulent breach alert emails to their user bases. These emails, crafted to appear as urgent security notifications, direct recipients to download a purportedly "secure" desktop application. In reality, the download is a legitimate but abused remote monitoring and management (RMM) tool, specifically the Syncro MSP Agent, which is then leveraged to silently deploy ScreenConnect (also known as ConnectWise Control). This sequence grants attackers persistent, covert remote access to victim endpoints, enabling credential theft, data exfiltration, and the potential for further malware deployment. The campaign is notable for its use of commodity tools, advanced social engineering, and the ability to bypass endpoint security by disabling popular antivirus agents. There is no evidence of an actual breach at LastPass or Bitwarden; the campaign is purely social engineering. This advisory provides a comprehensive technical breakdown, observed tactics, and actionable mitigation strategies.

Threat Actor Profile

Attribution for this campaign remains unconfirmed, with no direct links to known advanced persistent threat (APT) groups. The operational tradecraft, including the use of legitimate RMM tools and the targeting of password manager users, aligns with tactics commonly observed among financially motivated cybercriminals. The campaign demonstrates a high degree of operational security, launching attacks over holiday weekends to evade detection and rapidly rotating phishing infrastructure. The threat actors exhibit proficiency in social engineering, leveraging the urgency and authority of breach notifications to induce user action. The use of Syncro MSP Agent and ScreenConnect is consistent with a broader trend in the cybercrime ecosystem, where legitimate IT tools are repurposed for initial access and persistence.

Technical Analysis of Malware/TTPs

The attack chain begins with a phishing email, impersonating the security or support teams of LastPass or Bitwarden. The email claims that a security breach has occurred and instructs the recipient to download a new, more secure desktop application. The sender addresses are crafted to closely mimic legitimate communications, including hello@lastpasspulse[.]blog, hello@lastpasjournal[.]blog, and hello@bitwardenbroadcast[.]blog. The embedded links direct users to attacker-controlled landing pages, which have been observed to be blocked by Cloudflare as phishing sites.

Upon download and execution, the user installs the Syncro MSP Agent. This RMM tool is configured with parameters to suppress its system tray icon, minimizing user awareness. The agent establishes a command-and-control (C2) channel, checking in with the attacker's infrastructure every 90 seconds. Its primary function in this campaign is to deploy ScreenConnect, a robust remote access tool. Once installed, ScreenConnect provides the attacker with persistent, stealthy access to the victim's system, enabling full remote control.

The malware exhibits additional anti-detection capabilities, including the automated disabling of popular endpoint security agents such as Emsisoft, Webroot, and Bitdefender. Notably, the campaign does not utilize other RMM tools like Splashtop or TeamViewer, focusing exclusively on Syncro MSP and ScreenConnect for their operational needs.

The technical sophistication of the campaign is further evidenced by its MITRE ATT&CK mapping. The primary techniques include T1566.001 (Phishing: Spearphishing Attachment/Link), T1219 (Remote Access Software), T1078 (Valid Accounts, via abuse of legitimate tools), T1105 (Ingress Tool Transfer), T1059 (Command and Scripting Interpreter for potential follow-on payloads), and T1027 (Obfuscated Files or Information, via hidden RMM agent).

Exploitation in the Wild

This campaign has been observed in active exploitation, with initial reports surfacing over the Columbus Day holiday weekend. The timing suggests a deliberate attempt to exploit reduced staffing and slower incident response during holidays. Both LastPass and Bitwarden users have been targeted with nearly identical phishing lures, indicating a broad, opportunistic approach rather than a focus on specific organizations or sectors.

Security researchers from BleepingComputer and Malwarebytes have analyzed the campaign, confirming the use of Syncro MSP Agent and ScreenConnect as the primary payloads. Cloudflare has responded by blocking known phishing domains, and multiple indicators of compromise (IOCs) have been published in open sources. User reports on platforms such as Reddit corroborate the widespread nature of the campaign, with victims describing unauthorized remote access and the disabling of security software.

Victimology and Targeting

The campaign appears to be indiscriminate, targeting individual users of LastPass and Bitwarden globally. There is no evidence of sector-specific or country-specific targeting. The attackers rely on the broad user base of these password managers to maximize their reach. The social engineering content is generic, referencing a supposed breach and urging immediate action, which increases the likelihood of user interaction across diverse demographics.

Victims are typically those who respond to the urgency of the phishing email and download the malicious payload. Once compromised, the attackers gain full remote access to the victim's PC, with the ability to exfiltrate password vaults, deploy additional malware (including ransomware or information stealers), and disable endpoint security solutions. The impact is potentially severe, given the sensitive nature of data stored in password managers.

Mitigation and Countermeasures

Organizations and individuals should implement a multi-layered defense strategy to mitigate the risk posed by this campaign. Email security gateways and firewalls should be configured to block sender domains and known phishing URLs, including those associated with lastpasspulse[.]blog, lastpasjournal[.]blog, and bitwardenbroadcast[.]blog. Security teams should proactively search for and remove unauthorized installations of Syncro MSP Agent and ScreenConnect across all endpoints.

Incident response procedures should include investigation for signs of lateral movement or the deployment of additional payloads. If compromise is detected, re-enable or reinstall any disabled endpoint security agents and conduct a thorough forensic analysis to assess the scope of the breach.

User awareness remains a critical control. All users should be reminded that LastPass, Bitwarden, and other reputable password managers will never request master passwords or urge software downloads via unsolicited email. Any breach notifications should be verified directly through official vendor websites or trusted communication channels.

Regular security training, combined with simulated phishing exercises, can help reinforce these best practices and reduce the likelihood of successful social engineering attacks.

References

BleepingComputer: Fake LastPass, Bitwarden breach alerts lead to PC hijacks https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/

Malwarebytes: 1Password phishing campaign

https://www.malwarebytes.com/blog/news/2025/08/clickjack-attack-steals-password-managers-secrets

Reddit: Bitwarden phishing discussion https://www.reddit.com/r/Bitwarden/comments/1o7lwx1/fake_lastpass_bitwarden_breach_alerts_lead_to_pc/

Syncro MSP

https://syncromsp.com/

ScreenConnect (ConnectWise Control) https://www.connectwise.com/software/control

About Rescana

Rescana empowers organizations to proactively manage third-party risk and strengthen their cybersecurity posture through our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessments, and actionable intelligence to help you identify and mitigate emerging threats across your vendor ecosystem. For more information or to discuss how Rescana can support your security objectives, we are happy to answer questions at ops@rescana.com.