Fake MAS Windows Activation Domain Spreads PowerShell Malware

What It Is

Cosmali Loader is a Windowsbased malware loader. Its main purpose is to download additional malicious components onto an infected system. Samples observed have been used to drop two types of unwanted software: cryptomining utilities that hijack CPU/GPU resources, and the XWorm remoteaccess Trojan (RAT) that gives an attacker remote control of the compromised machine.

Who's Targeted

The threat targets Windows computers where users run the opensource Microsoft Activation Scripts (MAS) tool. Attackers have registered a lookalike domain that is easy to mistype (for example, get.activate.win instead of the legitimate get.activated.win). When a user enters the incorrect address, the MAS script contacts the malicious site and downloads the Cosmali Loader.

How It Works

The observed behaviour can be summarised as follows:

• Typosquatted domain: A domain that closely resembles the official MAS site is registered. Users who mistype the address are unknowingly directed to this malicious site.
• Malicious script delivery: The fake site provides a PowerShell script that appears to be part of the activation process. Running the script results in a Cosmali Loader infection.

How To Protect

To reduce the risk of falling victim to this typosquatting trick, consider these practical steps:

• Doublecheck domain names before running MAS commands; copy them from trusted sources rather than typing them manually.
• Only execute PowerShell scripts that come from verified, trusted locations.
• Maintain uptodate antivirus or endpoint protection that can flag unknown PowerShell payloads.

Conclusion

The Cosmali Loader episode highlights how a simple typo can lead users to download serious malware. By mistyping a MAS activation domain, victims may unintentionally run a malicious PowerShell script that installs cryptominers and a remoteaccess Trojan. Staying vigilant about the exact domains you interact with and limiting the execution of unauthenticated scripts are the most effective ways to defend against this kind of socialengineering attack.