Fake MAS Windows Activation Domain Used to Distribute PowerShell Malware
- Dec 28, 2025
- 2 min read
Updated: Jan 26
A typosquatted domain mimicking the Microsoft Activation Scripts (MAS) tool has been used to distribute malicious PowerShell scripts. These scripts infect Windows systems with the 'Cosmali Loader'. I discovered this alarming trend when several MAS users began reporting issues on Reddit. They received pop-up warnings about a Cosmali Loader infection.
You have been infected by malware called 'cosmali loader' because you mistyped 'get.activated.win' as 'get.activate[.]win' while activating Windows in PowerShell.
The malware's dashboard is not secure. Anyone who views it can potentially access your computer.
What to Do If You Are Infected
If you suspect that your system is compromised, I recommend taking immediate action. Reinstalling Windows may be necessary to remove the infection completely. Additionally, you should verify your computer's status by opening Task Manager. Look for any unusual PowerShell processes running in the background.
Understanding the Threat
According to reports, attackers have created a deceptive domain, "get.activate[.]win." This domain closely resembles the legitimate one found in the official MAS activation instructions, "get.activated.win." The only difference between the two is one character ("d"). Attackers rely on users mistyping the domain, which makes this tactic particularly effective.
Security researcher RussianPanda has identified that these alerts are linked to the open-source Cosmali Loader malware. This malware may be connected to similar pop-up notifications observed by GDATA malware analyst Karsten Hahn.
Russian Panda informed Bleeping Computer that Cosmali Loader was used to deploy cryptomining tools and the XWorm remote access trojan (RAT). While it's unclear who sent the warning messages to users, it’s likely that a well-intentioned researcher accessed the malware control panel. They may have used it to alert users about the compromise.
What is MAS?
MAS is an open-source set of PowerShell scripts designed to automate the activation of Microsoft Windows and Microsoft Office. It does this through HWID activation, KMS emulation, and various bypass methods (Ohook, TSforge). The project is available on GitHub and is actively maintained. However, Microsoft considers it a piracy tool. It activates products without a purchased license by using unauthorized methods that bypass its licensing system.
The project's maintainers have cautioned users about this campaign. They advise verifying the commands entered before executing them.
Best Practices for Safe Computing
It is crucial to refrain from running remote code unless you fully understand its function. Always test in a sandbox environment. Avoid retyping commands to reduce the chance of retrieving harmful payloads from domains with typographical errors. Unofficial Windows activators have frequently been exploited for malware distribution. Therefore, it is essential to be aware of the potential dangers and exercise caution when using these tools.
Conclusion
In summary, the rise of the fake MAS Windows activation domain is a serious threat. By being vigilant and following best practices, you can protect yourself from falling victim to such attacks. Always double-check the URLs you enter and stay informed about the latest security threats.
Comments