Threat actors have been distributing a trojanized version of the KeePass password manager, known as KeeLoader, for at least eight months, which installs Cobalt Strike beacons and steals credentials. This campaign has been linked to ransomware attacks on VMware ESXi servers and utilizes malicious advertisements to promote fake software sites. Users are warned to download software only from legitimate sources to avoid such threats.