Executive Summary

A sophisticated cyber threat campaign has emerged, leveraging a typosquatted domain mimicking the legitimate Microsoft Activation Scripts (MAS) project to distribute advanced PowerShell malware. The malicious domain, get.activate[.]win, closely resembles the authentic get.activated.win site, exploiting minor typographical errors made by users seeking to activate Windows or Microsoft Office products. Unsuspecting users who execute activation scripts from the fraudulent domain are infected with the Cosmali Loader malware, which subsequently deploys additional payloads such as the XWorm RAT and cryptomining utilities. This attack vector demonstrates the increasing sophistication of social engineering and supply chain manipulation in the wild, with significant implications for enterprise and individual security. Immediate awareness and technical countermeasures are essential to mitigate the risk posed by this campaign.

Threat Actor Profile

The operators behind the get.activate[.]win campaign have not been definitively linked to any known Advanced Persistent Threat (APT) group. The attack is characterized by opportunistic targeting, leveraging open-source malware and commodity tools rather than bespoke exploits. The use of typosquatting as an initial access vector, combined with the deployment of the Cosmali Loader and XWorm RAT, suggests a financially motivated actor with moderate technical sophistication. The campaign’s infrastructure, including an insecure malware control panel, indicates a focus on rapid exploitation and mass infection rather than stealth or long-term persistence. The threat actors demonstrate a keen understanding of user behavior, particularly the reliance on unofficial activation scripts and the prevalence of minor typographical errors during command-line operations.

Technical Analysis of Malware/TTPs

The attack chain begins when a user, intending to activate Windows or Microsoft Office using the popular MAS tool, inadvertently navigates to get.activate[.]win instead of the legitimate get.activated.win. The malicious site serves a PowerShell script that, when executed, initiates the download and execution of the Cosmali Loader. This loader is an open-source malware framework capable of deploying multiple secondary payloads.

Upon execution, Cosmali Loader establishes persistence on the infected system, often by modifying registry keys or leveraging scheduled tasks. It then downloads and executes additional malware, most notably the XWorm RAT. XWorm is a highly modular remote access trojan with capabilities including keylogging, credential theft, file exfiltration, and the ability to download and execute further payloads. In several observed cases, the loader also deployed cryptomining utilities, hijacking system resources to mine cryptocurrency for the attackers.

A unique aspect of this campaign is the use of pop-up warnings on infected systems. Victims reported messages stating: "You have been infected by a malware called 'cosmali loader' because you mistyped 'get.activated.win' as 'get.activate[.]win' when activating Windows in PowerShell. The malware's panel is insecure and everyone viewing it has access to your computer. Reinstall Windows and don't make the same mistake next time. For proof that your computer is infected, check Task Manager and look for weird PowerShell processes." This message, likely delivered by a third party who accessed the insecure control panel, serves as both a warning and a demonstration of the attack’s reach.

Technical indicators of compromise include persistent or anomalous PowerShell processes, unauthorized network connections to command-and-control infrastructure, and the presence of Cosmali Loader and XWorm RAT binaries or artifacts. The attack leverages several MITRE ATT&CK techniques, including T1566.001 (Spearphishing via typosquatting), T1059.001 (PowerShell execution), T1547 (Persistence via autostart), T1105 (Ingress Tool Transfer), T1003 (Credential Dumping), and T1496 (Resource Hijacking for cryptomining).

Exploitation in the Wild

The campaign has been widely reported across technical forums and social media, with multiple users on Reddit describing infections and the appearance of the aforementioned pop-up warnings. Security researchers, including "RussianPanda" and GDATA analyst Karsten Hahn, have confirmed the presence of Cosmali Loader and XWorm RAT as primary payloads. The insecure control panel associated with Cosmali Loader allowed third parties to access and interact with infected machines, further compounding the risk to victims.

The attack is notable for its reliance on user error and the widespread use of unofficial activation scripts. The infection vector is particularly effective against users who copy and paste PowerShell commands from unverified sources or who are unaware of the risks associated with typosquatting. The campaign has affected both individual users and enterprise environments, with the potential for lateral movement and further compromise in networked settings.

Victimology and Targeting

The primary victims of this campaign are users seeking to activate Windows or Microsoft Office products using the MAS tool. This includes a broad spectrum of individuals and organizations, from home users to enterprise IT administrators. The attack does not discriminate by geography or industry, instead targeting anyone who makes the critical typographical error when entering the activation domain.

Affected products include all versions of Windows supported by MAS (from Windows XP through Windows 11, including all editions such as Enterprise, Pro, Home, and Education) and all major versions of Microsoft Office (2010, 2013, 2016, 2019, 2021, and 365, including both Volume License and Retail). Additional products at risk include Visual Studio, RDS CALs, and systems utilizing Windows Extended Security Updates (ESU). Any system executing activation scripts sourced from the malicious domain is susceptible to compromise.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this campaign. Organizations should add get.activate[.]win to DNS and web filtering blocklists to prevent accidental access. Endpoint detection and response (EDR) solutions should be configured to monitor for unusual or persistent PowerShell activity, as well as the presence of known Cosmali Loader and XWorm RAT artifacts.

Security teams should conduct thorough scans of all endpoints for indicators of compromise, including unauthorized PowerShell processes, suspicious scheduled tasks, and network connections to known command-and-control infrastructure. Infected systems should be fully reimaged, as the presence of remote access trojans and insecure control panels indicates a high risk of persistent backdoor access.

User awareness training is critical. All users should be educated on the dangers of typosquatting, the importance of verifying URLs before executing scripts, and the risks associated with unofficial activation tools. IT administrators should ensure that only trusted sources are used for software activation and that all scripts are reviewed prior to execution.

For organizations utilizing Rescana's Third-Party Risk Management (TPRM) platform, continuous monitoring of supply chain and vendor domains can provide early warning of similar typosquatting and supply chain manipulation attempts. Proactive threat intelligence and automated risk scoring can further reduce exposure to emerging threats.

References

BleepingComputer: Fake MAS Windows activation domain used to spread PowerShell malware Reddit: User reports of Cosmali Loader infection Reddit: Cosmali Loader pop-up discussion MITRE ATT&CK: PowerShell Malpedia: XWorm RAT analysis GitHub: Cosmali Loader (for research) MAS Official GitHub: Microsoft-Activation-Scripts MAS FAQ: massgrave.dev/faq Twitter: GDATA Analyst Karsten Hahn

About Rescana

Rescana is a leader in cyber risk intelligence and third-party risk management. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber threats across their entire digital supply chain. By leveraging advanced analytics, automated risk scoring, and real-time threat intelligence, Rescana enables proactive defense against emerging cyber risks. For more information or to discuss how our solutions can enhance your organization’s security posture, we are happy to answer questions at ops@rescana.com.