Skip to main content

Command Palette

Search for a command to run...

Fake MAS Windows activation domain used to spread PowerShell malware

Published
2 min readView as Markdown
Fake MAS Windows activation domain used to spread PowerShell malware
P

Phong Xuan

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.

BleepingComputer has found that multiple MAS users began reporting on Reddit [, ] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.

You have been infected by a malware called 'cosmali loader' because you mistyped 'get.activated.win' as 'get.activate[.]win' when activating Windows in PowerShell.

> > >

The malware's panel is insecure and everyone viewing it has access to your computer.

Reinstall Windows and don't make the same mistake next time.

For proof that your computer is infected, check Task Manager and look for weird PowerShell processes.

Based on the reports, attackers have set up a look-alike domain, "get.activate[.]win," which closely resembles the legitimate one listed in the , "get.activated.win."

Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.

Security researcher RussianPanda discovered that the notifications are related to the open source Cosmali Loader malware, and could be related to similar by GDATA malware analyst Karsten Hahn.

RussianPanda told BleepingComputer that Cosmali Loader delivered cryptomining utilities and the XWorm remote access trojan (RAT).

Although it is unclear who pushed the warning messages to users, it is likely that a well-intended researcher to the malware control panel and used it to inform users of the compromise.

MAS is an open-source collection of PowerShell scripts that automate the activation of Microsoft Windows and Microsoft Office using HWID activation, KMS emulation, and various bypasses (Ohook, TSforge).

The project is hosted on GitHub and is openly maintained. However, Microsoft sees it as a piracy tool that activates products without a purchased license using unauthorized methods that circumvent its licensing system.

The maintainers of the project also warned users of the campaign and urged them to check the commands they type before executing them.

Users are recommended to avoid executing remote code if they don't fully understand what it does, always test in a sandbox, and avoid retyping commands to minimize the risk of fetching dangerous payloads from typosquatted domains.

Unofficial Windows activators have been repeatedly , so users need to be aware of the risks and exercise caution when using such tools.

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.


More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com