Unlocking pirated Windows 10/11 features? Beware of this deadly crypto malware
If you are trying to save a few bucks by settling for a pirated version of Windows 10 or Windows 11 and using a third-party tool to activate it, you have been warned. The popular KMSPico tool, that activates pirated copies of Windows, is being distributed with a malware that steals all your crypto wallet data. Instead of saving some money, this shortcut could end up costing more for you.
A research report from Red Canary has revealed how this crypto malware is spreading to greedy users and getting access to all cryptocurrency wallets and other related credentials. Called the cryptobot, it quietly installs in the background. Once its there, it has the first seat access to your crypto credentials.
Crypto malware spreading via KMSPico activator
"The user becomes infected by clicking one of the malicious links and downloading either KMSPico, Cryptbot, or another malware without KMSPico," Red Canary researcher Tony Lambert said. "The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes."
For those wondering what KMSPico is, it is a tool to activate full features in pirated version of Microsoft Windows and Office apps. It is an unofficial tool, which is why you have to download it via third-party sites and sources.
However, the report says that malware is only available on the versions downloaded from other websites. The KMSPico official website isn't hosting any malware. A quick Google Search reveals several of these third-party sources housing the malware in their downloads. Crypto bot is bundled with their packages and quietly installs in the background while the user sees the KMSPico installation happening.
However, this issue is not only plaguing regular users but IT departments at several firms. “We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems. In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment,” says the report.
“KMSPico and other non-official KMS activators circumvent Microsoft licenses and are a form of pirated software, posing a non-trivial risk to organizations. Legitimate activation on Windows is the only method supported by Microsoft,” it adds.