A malicious domain mimicking Microsoftโs activation site was exploited to distribute PowerShell scripts that infect Windows with Cosmali Loader. Users mistyping the domain risk infecting their systems, with the malware delivering cryptomining utilities and remote access trojans. #CosmaliLoader #PowerShell #typosquatting #KMSemulation
Keypoints
- A typosquatted domain was used to spread malicious PowerShell scripts targeting Windows activation.
- The malware, Cosmali Loader, delivers cryptomining and remote access Trojans like XWorm.
- Users mistyping the domain โget.activate[.]winโ instead of โget.activated.winโ are at risk of infection.
- The open-source MAS project is often exploited for unauthorized product activation and malware delivery.
- Security experts recommend cautious command execution and testing in sandbox environments to prevent dangerous payloads.