Cosmali Loader delivery via Microsoft Activation Scripts typosquat
Malware Activity
Summary
Hide ▲
Show ▼
A typosquatted Microsoft Activation Scripts (MAS) domain is distributing malicious PowerShell scripts that install Cosmali Loader on Windows systems, creating a path to follow-on payloads and remote access. The malware has been associated with cryptomining utilities and the XWorm RAT, increasing both resource-abuse and takeover risk. The infection chain hinges on a one-character domain typo, making the lure easy to miss and dangerous to repeat.
Related Happenings
Millenium RAT Windows malware activity and native C++ rewrite
Malware Activity
H score62
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...
Millenium RAT Windows malware activity and native C++ rewrite
Malware ActivityAbout this happening: The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
ClickFix compromised-site MIMICRAT campaign
Campaign
H score37
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **ClickFix campaign** is abusing **compromised legitimate sites** to deliver the **MIMICRAT** remote access trojan through a **multi-stage infection chain**, widening risk acr...
ClickFix compromised-site MIMICRAT campaign
CampaignAbout this happening: The **ClickFix campaign** is abusing **compromised legitimate sites** to deliver the **MIMICRAT** remote access trojan through a **multi-stage infection chain**, widening risk acr...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
H score22
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
ClickFix DNS-based nslookup staging campaign
Campaign
H score35
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
Timeline
-
24.12.2025 19:44 2 articles · 6mo ago
MAS users report Cosmali Loader warnings
Initial DisclosureMultiple Microsoft Activation Scripts (MAS) users on Reddit began reporting pop-up warnings about a Cosmali Loader infection after mistyping get.activated.win as get.activate[.]win while activating Windows in PowerShell.
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
-
24.12.2025 19:44 1 articles · 6mo ago
RussianPanda links Cosmali Loader to XWorm and cryptomining
Technical Analysis UpdateSecurity researcher RussianPanda identified the pop-up warnings as related to open source Cosmali Loader, said the malware delivered cryptomining utilities and the XWorm remote access trojan (RAT), and noted that the malware panel was insecure enough that a viewer could access the affected computer and warn users of the compromise.
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44