Fake MAS Windows Activation Domain Used To Spread PowerShell Malware (bleepingcomputer.com)
(Thursday December 25, 2025 @04:00PM (msmash)
from the psa dept.)
- Reference: 0180456521
- News link: https://it.slashdot.org/story/25/12/25/2058205/fake-mas-windows-activation-domain-used-to-spread-powershell-malware
- Source link: https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/
An anonymous reader shares a report:
> A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used [1]to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'. BleepingComputer has found that multiple MAS users began reporting on Reddit yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.
>
> Based on the reports, attackers have set up a look-alike domain, "get[dot]activate[dot]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get[dot]activated[dot]win." Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.
[1] https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/
> A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used [1]to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'. BleepingComputer has found that multiple MAS users began reporting on Reddit yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.
>
> Based on the reports, attackers have set up a look-alike domain, "get[dot]activate[dot]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get[dot]activated[dot]win." Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.
[1] https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/
If you need to "activate" your operating system... (Score:2)
... you already are infected with malware, even before visiting such fake-site. Just get a better operating system for free.
Re: (Score:2)
came here to say this but with slightly different snark
e.g. now do the official site