An ongoing phishing campaign is targeting users of LastPass and Bitwarden with fake breach alerts designed to install remote access tools on victims’ systems. The emails falsely claim that both password managers suffered security incidents and urge users to download a “more secure” desktop application to protect their data.
LastPass confirmed it was not hacked and labeled the messages as social engineering attempts meant to create urgency and prompt users to install malicious software. The campaign began over a holiday weekend to exploit reduced IT staffing and delay detection. Fake emails were sent from domains like hello@lastpasspulse[.]blog and hello@lastpasjournal[.]blog, mimicking official communication.
Similarly, Bitwarden users received nearly identical messages from hello@bitwardenbroadcast.blog, using the same urgent tone and lure of a secure desktop app update. Cloudflare has since blocked the phishing landing pages, identifying them as malicious.
The downloaded binaries install Syncro, a legitimate remote monitoring and management (RMM) tool, which then deploys ScreenConnect to enable remote access to the infected device. The Syncro agent is configured to hide its system tray icon and check in with the attacker’s server every 90 seconds, maintaining stealth. It disables security agents from Emsisoft, Webroot, and Bitdefender and avoids deploying other bundled tools like Splashtop or TeamViewer, focusing solely on gaining remote control.
Once connected via ScreenConnect, attackers can deploy additional malware, exfiltrate data, and access stored credentials from password managers. Syncro clarified that its platform was not breached; instead, attackers created a fraudulent MSP account to abuse the service. A separate phishing wave targeted 1Password users with similar tactics, redirecting them to onepass-word[.]com through a malicious email sent from watchtower@eightninety[.]com.
Cybersecurity experts stress that users should never respond to such alerts via email and should verify security news only through official company websites and communications. Companies do not request master passwords, and any such demand is a definitive sign of phishing.