{"id":227829,"date":"2025-12-26T05:17:36","date_gmt":"2025-12-26T11:17:36","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/12\/fake-mas-windows-activation-domain-used-to-spread-powershell-malware"},"modified":"2025-12-26T05:17:36","modified_gmt":"2025-12-26T11:17:36","slug":"fake-mas-windows-activation-domain-used-to-spread-powershell-malware","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/12\/fake-mas-windows-activation-domain-used-to-spread-powershell-malware","title":{"rendered":"Fake MAS Windows activation domain used to spread PowerShell malware"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/fake-mas-windows-activation-domain-used-to-spread-powershell-malware.jpg\"><\/a><\/p>\n<p>A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the \u2018Cosmali Loader\u2019<\/p>\n<p>BleepingComputer has found that multiple MAS users began reporting on Reddit [<a href=\"http:\/\/www.reddit.com\/r\/MAS_Activator\/comments\/1ptcqp1\/told_i_have_been_infected_by_a_malware_called\" target=\"_blank\" rel=\"nofollow noopener\">1<\/a>, <a href=\"https:\/\/www.reddit.com\/r\/computers\/comments\/1psm03h\/weird_scary_virus\/\" target=\"_blank\" rel=\"nofollow noopener\">2<\/a>] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.<\/p>\n<blockquote><p>You have been infected by a malware called \u2018cosmali loader\u2019 because you mistyped \u2018get.activated.win\u2019 as \u2018get.activate[.]win\u2019 when activating Windows in PowerShell.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the \u2018Cosmali Loader\u2019 BleepingComputer has found that multiple MAS users began reporting on Reddit [1, 2] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection. You have been [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-227829","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/227829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=227829"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/227829\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=227829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=227829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=227829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}