Phishing attack detected following the data breach on Passwordstate

Click Studios, the Australian software company that announced a supply chain attack involving its Passwordstate password management app, has issued a warning to costumers about a phishing attack being carried out by an unknown threat actor.


In an updated advisory, the company confirmed that a threat actor has started a phishing attack, with a small number of customers receiving emails demanding immediate action. Click Studios has not send these emails.


Also read: Beware: Passwordstate Password manager update hijacked


According to Click Studios, attackers used sophisticated techniques to compromise Passwordstate’s update process, allowing malware to be dropped on user’s devices.


Customers who updated the Paswordstate’s password management app between 8:33 PM UTC on April 20 and 0:30 AM UTC on April 22 were only affected.


Meaning, only a few of the 29,000 customers were affected.


They are advising users to avoid sharing company correspondence on social media, claiming that the attacker is actively monitoring these platforms for information about the attack in order to exploit it.


The original attack used a trojanized Passwordstate update file with an altered DLL (“moserware.secretsplitter.dll”) that, when extracted, downloaded a second-stage payload from a remote server in order to extract confidential information from compromised systems.



Click Studios responded by releasing a hotfix kit called “” to assist the affected customers by removing the altered DLL and has advised these users to reset their passwords in the password manager.


In order to spread a new version of the malware, the current phishing attack involves creating seemingly legitimate email messages that “replicate Click Studios email material”.


Customers are being asked to download a changed hotfix file from a CDN network which is not managed by Click Studios.


The company stated, it has since been taken down.



According to the initial review, this has a newly updated version of the malformed Moserware.SecretSplitter.dll that, when loaded, attempts to obtain the payload file from an alternate source.




Latest in Cybersecurity: DigitalOcean Data Breach: Customers’ billing data exposed