Cybercriminals are impersonating popular password managers in a phishing campaign designed to install remote-access software on victims’ devices.
According to BleepingComputer, an active phishing campaign is targeting users of LastPass and Bitwarden with fake breach notifications that urge them to download a “more secure” desktop version of their password manager. The links in these emails direct users to download a file that installs Syncro, a legitimate remote monitoring and management (RMM) tool commonly used by IT providers.
Once installed, the attackers use Syncro to deploy ScreenConnect, a remote-access tool that allows them to take control of the victim’s computer. Both LastPass and Bitwarden confirmed that the emails are fraudulent and that neither company experienced a data breach.
The campaign began over the Columbus Day weekend, likely to exploit reduced staffing and slower security responses. The phishing emails appear professional and reference vulnerabilities in “outdated .exe installers” to convince users to install the malicious MSI “update.”
The fake alerts use sender addresses such as hello@lastpasspulse.blog, hello@lastpasjournal.blog, and hello@bitwardenbroadcast.blog. Cloudflare has since blocked access to the linked phishing pages.
Researchers found that once installed, the Syncro agent hides its presence and connects to a remote server every 90 seconds. It deploys ScreenConnect to grant attackers full remote control, enabling them to steal data, install further malware, or access stored passwords.
In a similar incident last month, 1Password users received fake emails warning of account compromises. That campaign redirected users to a fraudulent login page designed to steal master passwords.
LastPass clarified that it “has NOT been hacked,” describing the campaign as a typical social-engineering attempt to create panic and urgency. A Syncro spokesperson told BleepingComputer that the malicious accounts had been identified and shut down, stating that the Syncro platform itself was not compromised but misused by a fake managed service provider.
The fake LastPass and Bitwarden alerts show how phishing campaigns now rely on trust, not just trickery. Attackers used professional-looking emails and familiar branding to convince users to download legitimate remote-access software, turning helpful IT tools into silent backdoors. By striking over a long weekend, they increased the odds that victims would act before anyone could verify the alert.
Paubox recommends Inbound Email Security to prevent these types of impersonation attacks. Its generative AI analyzes sender behavior, tone, and message context to spot emails that look authentic but don’t match legitimate communication patterns. That early detection helps block deceptive alerts and stop remote-access threats before users are drawn in.
Using real software helps attackers evade antivirus detection and appear trustworthy, allowing them to quietly gain control over victims’ systems.
Legitimate alerts will always be visible on the provider’s official website or blog. Users should log in directly through the official domain rather than clicking email links.
Immediately disconnect the device from the internet, run a full malware scan, and contact a trusted IT or cybersecurity professional to remove remote-access tools.
Attackers often strike when organizations have limited staff or slower incident response, increasing the likelihood that fake emails go unnoticed.
Only install updates from within the application itself or from the vendor’s verified website. Avoid downloading attachments or clicking links in unsolicited emails.