Cyber Incident Victim: Click Studios
Date:
Apr 2021
Location:
Australia
Summary
A supply-chain attack compromised the update mechanism of Click Studios' Passwordstate, a corporate password manager, leading up to 29,000 enterprise users downloading a malicious file masquerading as a legitimate upgrade. The backdoored component harvested system information and sensitive credentials—including those for firewalls, VPNs, and servers—exfiltrating data to attacker-controlled infrastructure. The incident, part of a trend targeting software distribution channels, involved undetected malware during initial analysis and impacted organizations globally, with the malicious payload executing in memory to evade defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Click Studios Passwordstate incident began on April 20, 2021, at 8:33 AM UTC when attackers compromised the password manager’s update mechanism. A malicious file named 'moserware.secretsplitter.dll' was distributed to users through this compromised upgrade channel. This file contained both a legitimate SecretSplitter application and malicious code identified as 'Loader.' The Loader component initiated communication with an attacker-controlled server at https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip to retrieve an encrypted second-stage payload. Once decrypted, the payload executed directly in memory without leaving disk artifacts. According to Click Studios’ email to customers, the malware extracted system information and specific Passwordstate data, exfiltrating it to the attackers’ CDN network. The malicious update campaign persisted until April 22 at 12:30 AM UTC, with the attacker’s infrastructure being shut down at 7:00 AM UTC that same day. Security firm CSIS Group confirmed the technical details of the initial payload but noted researchers could not obtain samples of the follow-on payload. At the time of reporting, none of the 68 antivirus engines on VirusTotal detected the first-stage malware.
The breach impacted up to 29,000 enterprise customers and 370,000 security and IT professionals globally, including Fortune 500 companies. Compromised credentials included passwords for firewalls, VPNs, switches, servers, and local accounts—critical infrastructure components for corporate networks. Click Studios disclosed the incident via customer email, emphasizing Passwordstate’s support for multiple two-factor authentication (2FA) options, though the company did not specify whether 2FA mitigated any unauthorized access resulting from the theft. The company advised all users to immediately reset stored passwords, particularly for high-value systems. The incident represented a supply-chain attack vector, mirroring tactics seen in the SolarWinds and Codecov breaches disclosed months earlier. Click Studios did not publicly respond to media inquiries regarding the breach. The compromise highlighted systemic risks associated with centralized password management solutions, particularly when update mechanisms are vulnerable to interception or manipulation.