Fake LastPass & Bitwarden “Breach Alerts” Drop RMM Tools for Full PC Takeovers

NEWS

Introduction: a fake “urgent security update” that hands over your PC

An active phishing campaign is impersonating LastPass and Bitwarden with emails that claim the vendors were hacked and urge recipients to install a “more secure desktop app.” The download is not a password-manager update—it installs a Syncro RMM agent that then deploys ConnectWise ScreenConnect, granting attackers hands-on-keyboard access to the host.

Both vendors say there is no breach on their side; the messages are social-engineering lures.

In brief

  • Initial lure: Emails from look-alike domains (e.g., hello@lastpasspulse[.]blog, hello@bitwardenbroadcast.blog) pushing a “secure desktop app” due to alleged EXE weaknesses.
  • Payload: A small loader installs Syncro (tray icon hidden) which drops ScreenConnect, giving attackers remote control.
  • Config clues: The Syncro agent checks in every ~90 seconds and is minimally configured; it disables several third-party AV agents (Emsisoft, Webroot, Bitdefender) to reduce detection.
  • Vendor status: LastPass explicitly confirms no compromise and publishes IOCs (domains, IPs, headers). Cloudflare is actively interdicting landing pages.
  • Bigger trend: Threat actors increasingly abuse legitimate RMM (ScreenConnect, Syncro) via phishing—seen across 2025 campaigns beyond password managers.

Context: same playbook, new brands

Abusing reputable brands to smuggle legit IT tools is now commonplace. Recent research documents phishing that persuades users to install ScreenConnect under the guise of Zoom/Teams invitations or business docs, shifting from credential theft to instant remote access. This campaign simply rebrands the lure to password managers, betting on user urgency when “vaults” are mentioned.

Last week also saw a separate phish targeting 1Password users (credential-harvesting, not RMM) — another sign that password-manager branding is in the crosshairs.

Technical analysis: from email to remote control

1) Delivery & social engineering

  • Sender examples: hello@lastpasspulse[.]blog, hello@lastpasjournal[.]blog (LastPass copy), and hello@bitwardenbroadcast.blog (Bitwarden copy). Subjects assert “We Have Been Hacked – Update…” to create urgency.
  • LastPass notes additional infrastructure such as lastpassdesktop[.]com, lastpassdesktop[.]app, and lastpassgazette[.]blog, hosted behind providers known to be abused by threat actors.

2) Landing & download

  • At time of reporting, Cloudflare warns/blocks the phishing pages. Users who still proceed fetch a “desktop app” installer that is not from the vendors.

3) Execution chain

  • Installer → Syncro: The binary silently installs the Syncro MSP agent with parameters to hide the tray icon.
  • Syncro → ScreenConnect: Syncro is used as a BYOI (bring-your-own installer) for ScreenConnect, which provides full remote support/control capabilities to the attacker.

4) Agent configuration & behavior

  • Polling: Agent phones home every ~90 seconds.
  • Minimal policy set: No first-party remote access enabled; third-party remote tools (Splashtop/TeamViewer) not deployed.
  • Security tooling suppression: Config indicates Emsisoft, Webroot, Bitdefender agents are disabled.
    These details collectively show an operator intent on fast remote access with fewer moving parts and reduced detection.

5) Post-compromise actions

Once ScreenConnect is live, operators can: deploy additional payloads (stealers/RATs), exfiltrate files, stage ransomware, harvest tokens/cookies, and directly access password vaults if the user is unlocked/logged in.

Practical consequences / risks

  • Rapid domain takeover risk: With remote control, adversaries can steal browser-stored credentials and SSO tokens to pivot laterally.
  • EDR blind spots: Legit RMM binaries/signers can blend into allowlists and evade coarse blocking rules.
  • Helpdesk impersonation: ScreenConnect use can look like everyday IT support, extending attacker dwell time.
  • Vault exposure: Password managers remain secure as products, but a compromised workstation undermines endpoint secrecy (keylogging/screen capture).

Operational recommendations (what to do next)

1) Email & user comms

  • Block/flag the following IOCs (expand via threat intel feeds):
    • Senders: hello@lastpasspulse[.]blog, hello@lastpassgazette[.]blog, hello@bitwardenbroadcast[.]blog
    • Domains: lastpassdesktop[.]com, lastpassdesktop[.]app, lastpassgazette[.]blog
    • Related IPs noted by LastPass: 172.67.147[.]36, 172.67.219[.]2, 84.32.84[.]32, 148.222.54[.]15, 23.83.222[.]47.
  • Send a one-page advisory to employees: “Vendors will never email you a desktop EXE/MSI to install—go to official app stores or the vendor site only.” Reference vendor guidance for spotting real Bitwarden emails.

2) Endpoint & network controls

  • Application control: Explicitly restrict or approval-gate Syncro and ScreenConnect; alert on new RMM process trees, service installs, and network beacons.
  • EDR detections: Hunt for: new ScreenConnect services, unexpected ProgramData/AppData subfolders, hidden-icon flags in Syncro, and 90-second polling patterns.
  • Quarantine policy: If ScreenConnect is not part of the standard toolset, auto-quarantine when its installer hash or beaconing is detected.

3) Identity & vault hygiene

  • Enforce MFA + phishing-resistant factors for password-manager accounts.
  • Educate users: an unlocked vault on a compromised endpoint is accessible to remote operators; lock vaults when away and use device PIN/biometrics.

4) IR playbook (if hit)

  • Isolate the host; remove Syncro/ScreenConnect services; rotate credentials and revoke tokens; review persistence and scheduled tasks created by RMM.
  • Contain email: search and purge matching messages tenant-wide; block IOCs; submit samples to vendors/abuse contacts (LastPass: abuse@lastpass.com).

Differences vs. other recent cases

  • This campaign: Social-engineering to install RMM (Syncro → ScreenConnect), enabling full remote control.
  • Other 2025 waves: Similar ScreenConnect abuse via fake Zoom/Teams invites and trojanized installers—same end state, different lure.
  • Older password-manager themed attacks: Some were classic credential phish (e.g., 1Password lookalikes) rather than RMM dropper chains.

Summary / key takeaways

  • No, LastPass and Bitwarden were not breached—the emails are fake.
  • The goal is to trick you into installing Syncro, which installs ScreenConnect for silent, persistent remote access.
  • Block the domains, senders, and IPs listed by LastPass, and treat unsolicited “desktop updates” as malicious.
  • Expand detections for RMM tool abuse; many 2025 campaigns use the same tactic with different brands.

Sources / bibliography

  1. BleepingComputer — “Fake LastPass, Bitwarden breach alerts lead to PC hijacks” (Oct 15, 2025). Primary analysis with payload and config details. (BleepingComputer)
  2. LastPass Threat Intel — “October 13 Phishing Campaign Leveraging LastPass Branding” (Oct 13, 2025). Official denial + IOCs (domains, sender, IPs). (The LastPass Blog)
  3. Abnormal Security — ScreenConnect abuse trend (Aug 26, 2025). Context on RMM-via-phish campaigns. (Abnormal AI)
  4. TechRadar Pro coverage — ScreenConnect attack kits and large-scale targeting (Sept 2025). Additional trend confirmation. (TechRadar)
  5. Bitwarden — How to identify legitimate Bitwarden emails (reference for user education). (Bitwarden)

Related Posts