Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cosmali Loader delivery via Microsoft Activation Scripts typosquat

Malware Activity
First reported
Last updated
Happening score
H score 12
1 unique sources, 1 articles

Summary

Hide ▲

A typosquatted Microsoft Activation Scripts (MAS) domain is distributing malicious PowerShell scripts that install Cosmali Loader on Windows systems, creating a path to follow-on payloads and remote access. The malware has been associated with cryptomining utilities and the XWorm RAT, increasing both resource-abuse and takeover risk. The infection chain hinges on a one-character domain typo, making the lure easy to miss and dangerous to repeat.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

ClickFix compromised-site MIMICRAT campaign

Campaign
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **ClickFix campaign** is abusing **compromised legitimate sites** to deliver the **MIMICRAT** remote access trojan through a **multi-stage infection chain**, widening risk acr...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

Timeline

  1. 24.12.2025 19:44 2 articles · 5mo ago

    MAS users report Cosmali Loader warnings

    Initial Disclosure

    Multiple Microsoft Activation Scripts (MAS) users on Reddit began reporting pop-up warnings about a Cosmali Loader infection after mistyping get.activated.win as get.activate[.]win while activating Windows in PowerShell.

    Show sources
    Open in new tab
  2. 24.12.2025 19:44 1 articles · 5mo ago

    RussianPanda links Cosmali Loader to XWorm and cryptomining

    Technical Analysis Update

    Security researcher RussianPanda identified the pop-up warnings as related to open source Cosmali Loader, said the malware delivered cryptomining utilities and the XWorm remote access trojan (RAT), and noted that the malware panel was insecure enough that a viewer could access the affected computer and warn users of the compromise.

    Show sources
    Open in new tab