BLUF

 An active phishing campaign impersonating LastPass is targeting users to steal master passwords by claiming mandatory maintenance and demanding a "local backup" of the vault. LastPass has confirmed they have NOT been breached in these recent (2025) phishing incidents; they are impersonation attacks.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by LastPass impersonation phishing campaigns leading to credential compromise and infostealer exposure, the financial impact typically extends well beyond the initial phishing event due to credential resets, downstream access abuse, and operational disruption.

·       Low-end total cost: $150,000 – $400,000

·       (single-user compromise, rapid detection, limited lateral access)

·       Typical expected range: $600,000 – $1.8M

·       (multiple employees impacted, credential reuse, short operational disruption)

·       Upper-bound realistic scenarios: $3M – $7M

·       (privileged credential loss, malware persistence, regulatory notification obligations)

Key Cost Drivers

·       Number of employees submitting credentials or executing malicious payloads

·       Privilege level and reuse of compromised passwords across systems

·       Time to detection and containment of infostealer activity

·       Scope of credential resets, access reviews, and forensic investigation

·       Regulatory notification thresholds triggered by data exposure

Targeted Sectors

·       General consumers

·       Enterprise employees.

Countries

·       Global

Date of First Reported Activity

·       January 19, 2026

Date of Last Reported Activity Update

·       January 20, 2026

IOCs

Malicious URLs and associated IPs

·       mail-lastpass[.]com

·       group-content-gen2.s3.eu-west-3.amazonaws[.]com

·       group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”

Associated IP addresses at time of publication

·       52.95.155.90

·       104.21.86.78

·       172.67.216.232

·       188.114.97.3

·       192.168.16[.]19

·       172.23.182.202

From

·       support@sr22vegas[.]com

·       support@lastpass[.]server8

·       support@lastpass[.]server7

·       support@lastpass[.]server3

TTPs

Initial Access

·       T1566.001 - Phishing: Spearphishing Email

o   Scammers send deceptive emails from addresses like hello@lastpasspulse.blog claiming the company has been hacked.

·       T1566.002 – Phishing Spearphishing Link

o   Emails include links to counterfeit domains like lastpassdesktop.com designed to harvest credentials or deliver malware.

·       T1566.003 – Phishing Spearphishing Attachment

o   Attackers may attach malicious files, such as fake security patches, that install malware when opened.

Execution

·       T1204.001 - User Execution

o   Malicious Link: Victims are tricked into clicking links that lead to credential-stealing sites.

·       T1204.002 - User Execution: Malicious File

o   Victims are prompted to download and run fake "desktop app updates" that are actually malware binaries.

·       T1204.004 - User Execution

o   Malicious Copy and Paste: Some "ClickFix" campaigns trick users into executing malicious code through copy-paste instructions.

Persistence & Command and Control

·       T1105 - Ingress Tool Transfer

o   Malicious binaries are used to download and install legitimate remote monitoring tools like Syncro or ScreenConnect.

·       T1219 - Remote Access Software

o   Threat actors use the installed tools (Syncro/ScreenConnect) to remotely connect to the victim's device to deploy more malware or steal data.

Reconnaissance & Social Engineering

·       T1598 - Phishing for Information

o   Attackers use automated calls (vishing) or texts (smishing) to alert users of "unauthorized access," eventually asking for the master password.

·       T1586.002 - Acquire Infrastructure

o   Domains: Actors pre-register deceptive domains such as lastpassdesktop.app to host their phishing kits.

·       Deepfake Impersonation

o   Recent trends in 2025/2026 include using AI-generated deepfake audio to impersonate support agents during follow-up calls.

Malware Name

Atomic Stealer (also known as AMOS)

Malware Sample

sha256

0ae581638cedc98efb4d004a84ddd8397d1eab891fdfd836d27bd3ecf1d72c55

Malware Family

·       Infostealer

Known Decoding Key

·       Recent variants utilize XOR-obfuscated payloads; specific static keys often change per build to evade detection, though some researchers have noted strings like "osascript" are frequently targeted for manipulation within its code.

Verdict

Malicious

·       It is classified as highly dangerous information-stealing malware specifically targeting the macOS platform.

Primary Objectives

·       Exfiltrate sensitive browser data (passwords, session cookies, autofill info, and credit card details).

·       Steal cryptocurrency wallet files (e.g., Electrum, Binance, Exodus, Atomic, and Coinomi) and browser-based crypto extensions.

·       Harvest macOS Keychain passwords and system-level login credentials.

·       Extract files from common user directories like Desktop and Documents.

·       Capture Telegram desktop data and OpenVPN profiles.

Threat Actor Context

·       Operates as a Malware-as-a-Service (MaaS), sold on Telegram for roughly $3,000 per month as of late 2025/early 2026.

·       Recent evidence, including Russian-language comments in source code, suggests involvement of Russian-speaking cybercriminals.

·       Targeting is global, with high concentrations in the United States, United Kingdom, France, and Canada.

Behavior Analysis

Initial Access

o   Typically distributed via social engineering, such as "cracked" software, fake browser updates, or SEO-poisoned ads.

Execution

o   Often delivered as a 64-bit Golang executable within a .dmg file. It frequently uses AppleScript-based spoofing (prompting for a system password) to gain elevated permissions.

Anti-Detection

o   Uses rotating domains for C2 and generates unique hashes for every download to bypass static file-based signatures.

Persistence

o   Historically used a "smash-and-grab" approach with no persistence, but 2025/2026 variants have introduced LaunchAgents/LaunchDaemons and even embedded backdoors for long-term access.

Data Handling

o   Harvested data is temporarily stored in the /tmp/ directory before being compressed and exfiltrated to a remote C2 server.

Suggested Rules / potential hunts

Suricata

Look-alike Domain Detection / monitor for mypasskey.info, passkeysetup.com, and lastpasspulse.blog

alert dns $HOME_NET any -> any any (msg:"ET HUNTING Possible LastPass Phishing Domain (lastpassrecovery[.]com)"; dns.query; content:"lastpassrecovery.com"; nocase; sid:1000001; rev:1;)

.

Suspicious URI Path for Updates

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Fake LastPass Update Download Attempt"; http.uri; content:"/lastpass/update/"; content:".exe"; sid:1000002; rev:1;)

SentinelOne

Identify Connections to Phishing Domains

DnsName Contains AnyCase "lastpass" AND DnsName !Contains AnyCase "lastpass.com"

Detect Malicious Update Execution

ProcessName.Lowercase() contains "lastpass" AND (ProcessName.Lowercase() contains "update" OR ProcessName.Lowercase() contains "setup") AND SignedStatus != "Signed"

Identify Suspicious Credential Access (Post-Phish)

EventType = "Handle" AND ObjectType = "Process" AND ObjectName.Lowercase() = "lsass.exe" AND ProcessName.Lowercase() != "lastpass.exe"

Splunk

Detecting Access to Look-alike Domains (via Web Logs):

index=web sourcetype=access_*

| eval domain=lower(url_domain)

| where (match(domain, "lastpass") AND NOT match(domain, "lastpass\.com$"))

| stats count by src_ip, domain, url

Detecting Phishing Emails (via Mail Logs):

splunk

index=email sourcetype=m365:email

| search subject="*Legacy Access*" OR subject="*We Have Been Hacked*" OR subject="*Update Your LastPass*"

| stats count by sender, recipient, subject, link_url

Correlation: User Clicked and then Downloaded/Executed

index=endpoint (sourcetype=WinEventLog:Sysmon OR sourcetype=s1_events)

| search (CommandLine="*lastpass*" AND CommandLine="*.exe*")

| join type=inner user [

    search index=email subject="*LastPass*"

]

| table _time, user, CommandLine, subject

Delivery Method

·       Email

Email Subject line

·       LastPass Infrastructure Update: Secure Your Vault Now

·       Your Data, Your Protection: Create a Backup Before Maintenance

·       Don't Miss Out: Backup Your Vault Before Maintenance

·       Important: LastPass Maintenance & Your Vault Security

·       Protect Your Passwords: Backup Your Vault (24-Hour Window)

Red Flags to Watch For

To protect your account, verify the following details before interacting with any email:

·       Check the Sender

o   Legitimate LastPass emails only come from

§  @lastpass.com

§  @m.lastpass.com

§  @t.lastpass.com

§  @ar.lastpass.com.

·       Master Password Requests

o   LastPass will never ask for your master password via email, phone, or link.

·       Verify URLs

o   Hover over links before clicking. Official pages always use https://lastpass.com or https://subdomain.lastpass.com.

·       Action

o   If you receive a suspicious email, forward it as an attachment to abuse@lastpass.com and delete it immediately.

References

Blog LastPass

·       hxxps://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers

VirusTotal

·       hxxps://www.virustotal.com/gui/file/0ae581638cedc98efb4d004a84ddd8397d1eab891fdfd836d27bd3ecf1d72c55