KMSPico Malware: Fake Windows Activators Put Your Data at Risk

By Ava McKinneyOnline Safety

KMSPico Malware: Saving on Windows Could Cost You Your Data

Cybersecurity company eSentire has reported a new campaign spreading the Vidar infostealer through fake websites posing as popular Windows activation tools like KMSPico, which are widely used in CIS countries. KMSPico and other KMS-based products are illegal tools designed to activate Windows and other Microsoft products without a license. Many users search for these tools online to activate their software for free, but such tools are often used by cybercriminals to distribute malware.

In the incident analyzed by eSentire, a user visited the site “kmspico[.]ws” and nearly downloaded an infected activator. After a thorough investigation of the site and its contents, experts concluded:

“The site ‘kmspico[.]ws’ is protected by Cloudflare Turnstile CAPTCHA and requires entering a code to download the final ZIP package,” eSentire noted. “These steps are highly unusual for legitimate download sites and are intended to hide the page and the malicious file from automated web scanners.”

The downloaded ZIP archive analyzed by experts contained Java dependencies and an executable file named “Setuper_KMS-ACTIV.exe.” When launched, this file disabled behavioral monitoring in Windows Defender and ran an AutoIt script. The AutoIt script then decrypted and launched the Vidar Stealer malware.

Vidar is a well-known data-stealing malware. It can collect logins, passwords, browser history, cookies, autofill data, and financial information such as credit card details and cryptocurrency wallet data. The stolen data is sent to a command server, where attackers can access it.

In this campaign, Vidar Stealer used Telegram to store the IP address of its command-and-control (C2) server, hiding it within legitimate services. This method allows attackers to control infected systems without exposing their infrastructure.

Similar attacks using social engineering often rely on fake websites that mimic legitimate software, such as Advanced IP Scanner. According to a recent Trustwave SpiderLabs report, attackers have recently used this method to spread Cobalt Strike.

How to Stay Safe

  • Always download software, whether official or not, only from trusted and reputable sources.
  • Be wary of websites that require unusual steps, such as entering CAPTCHAs, to access downloads.
  • Remember that many suspicious sites offering free software are actually distributing malware and are designed to evade automated web scanning systems.

Leave a Reply