Hackers are infecting Windows activators like KMSPico to steal from cryptocurrency wallets

nanoguy

Posts: 1,184   +20
Staff member
Why it matters: Software piracy isn't new, but with the proliferation of "activators" for Windows and Office, you also have malicious actors scrambling to take advantage of unsuspecting users who utilize such tools. Their victims do this believing they save on software licensing costs, but at the same time, they expose their systems to sophisticated malware that evades detection by commercial antivirus solutions and can steal sensitive information.

If you’re purchasing or building a new PC, chances are you’ll need to buy a Windows license for it. Many people aren’t willing to part with more than $100 to get one, so they often resort to purchasing cheap keys from grey market websites or using one of several “activators” available online. The latter option is always a risky move, but historically it hasn’t caused any major damage to most users who went down that route.

According to security researchers at Red Canary, malicious actors have recently modified one of these tools to distribute malware that can steal tokens from cryptocurrency wallets. The tool in question is KMSPico, which can emulate a Key Management Services (KMS) server locally to activate licenses for Windows and Office products.

One of the malicious KMSPico installers analyzed by researchers comes packed with Cryptbot malware that can steal credentials and other sensitive information from web browsers installed on your PC. It also affects various cryptocurrency wallets such as Ledger Live, Atomic, Electrum, Exodus, Coinomi, and more. More importantly, it can be used to drop banking malware such as Danabot or any other malicious payload.

It’s also worth noting the Cryptbot malware is difficult to detect, as its creators use various methods to escape detection by traditional antivirus solutions, including encrypted binaries. Either way, this proves that going the piracy route in the case of Windows and Office isn’t worth it if you consider the risks involved. If anything, buying a PC that comes with Windows pre-installed when it’s on sale might be the best way to save money on the licensing front.

Red Canary intelligence analyst Tony Lambert says it’s not just regular home users that use this tool. Many small businesses try to save on licensing costs by using pirated copies of Windows and Office activated using KMSPico, which introduces a lot of security risks for their IT infrastructure. Lambert notes the firm even “experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment.”

Masthead credit: Arget |via Unsplash

Permalink to story.

 

VariableSpike

Posts: 80   +101
Windows keys are out there on the grey market for next to nothing, why would you bother with causing yourself risk for no reason by trying to pirate it?

Thanks,
Dan
 

Dimitriid

Posts: 2,095   +4,001
Activators at this point are sort of a newbie trap anyway: If anyone would be so inclined by say, being super frustrated with Microsoft expecting a full new license every time you switch motherboards or processors even if they're exact models you replaced through RMA, well if that happens then this hypothetical person would quickly find that there's *a lot of people* who have either small businesses or big organizations that don't care much with users that basically share valid keys for free that can activate 10 successfully.

Basically, Microsoft offers some companies such ridiculously generous pricing and plans that keys for them are basically free (Not a big deal since they make a lot selling them Microsoft Server for AD & Exchange and only for the ones they don't manage to push to cloud entirely) Some of those people do turn a profit and charge maybe 5 bucks on some of the popular 'grey area' sites but if you look far and wide enough you can still find people who don't even try to make a bit of pocket change and just give out keys for free.

In fact, I'm surprised Nadella hasn't been able to convince the rest of Microsoft to forget selling software licenses for the core Windows OS and go all in on Desktop-as-a-Service or Operative-system-as-a-Service or whatever other XxxS naming they come up with to mean "You rent your computing experience from us instead of buying outright"

It's more profitable and a better way to lock in people into giving you monthly payments than to try and sell a one time license: If they would just roll up the Windows Licensing along with the office 365 without raising the price much (So still under 10 bucks per month) they'd make money hand-over-fists.

(About to give them more evil ideals so forewarned is foretold) They could even just remove the same features they remove with the non-active OS version from all initial sales and tell people "Hey, these additional features like wallpapers, remote desktop, etc. Are part of our Windows365 bundle and you get all of the office apps with em too and 1 tb of onedrive to have free backups done authomagically for you, only 5 bucks per month!" That would be the money making scheme of a lifetime for them.
 
Last edited:

eforce

Posts: 902   +1,275
With Valve pushing SteamOS towards mainstream just making Windows for personal use free and charging for services/businesses may be the right step forward to maintain market share.
 

arrowflash

Posts: 514   +589
This is really old news. For years, KMSPico has been the target of crackers and scammers with fake "official" sites and fake "updated" versions full of malware. It's an outdated tool that's been deprecated and, afaik, isn't even updated anymore.
 

Ecurb

Posts: 7   +4
Windows activation is as buggy as any software. I rearrange hardware all the time including moving from physical to virtual systems and even back to physical. I have retail licenses but if my system doesn’t activate after a few tries I’ll often install KMSPico and press on. I have to disable MS defender as it tries to delete it but other virus checkers just highlight it as something to be aware of. Lately as I’ve moved more system to Linux I just don’t worry about activating Windows on my remaining systems as they are less critical and I’ve encountered no issues so far (for years now). When Steam and Quicken work well on Linux, I’ll be pretty much done with windows for everyday use.
 

Nobina

Posts: 3,733   +4,106
There is an open source activator for Windows but now I just buy a key for like 3-4 euros and it lasts forever.
 

Bullwinkle M

Posts: 678   +547
Dimitriid and Ecurb are doing it wrong

With a single Windows 10 Pro License on one computer, I installed and activated 2 copies of Windows 11 Pro as "Windows 2 Go" installations

I can run all 3 copies of Windows on 3 separate computers with different hardware and all 3 copies remain activated and are getting updates

All 3 were online at the same time without problems

That's 3 copies of Windows, all activated from a single license, on 3 different machines

If Windows 11 ever stops getting updates on my 10 year old computers, I can simply use Windows 10 Pro on all 3 systems with the same method

 

BigRedPDX

Posts: 252   +175
Why would you need an activator? Go rip a Win7 serial off an older machine and install Microsoft's media creation tool to update to Win10. It's not very difficult.
 
Activators at this point are sort of a newbie trap anyway: If anyone would be so inclined by say, being super frustrated with Microsoft expecting a full new license every time you switch motherboards or processors even if they're exact models you replaced through RMA, well if that happens then this hypothetical person would quickly find that there's *a lot of people* who have either small businesses or big organizations that don't care much with users that basically share valid keys for free that can activate 10 successfully.

Basically, Microsoft offers some companies such ridiculously generous pricing and plans that keys for them are basically free (Not a big deal since they make a lot selling them Microsoft Server for AD & Exchange and only for the ones they don't manage to push to cloud entirely) Some of those people do turn a profit and charge maybe 5 bucks on some of the popular 'grey area' sites but if you look far and wide enough you can still find people who don't even try to make a bit of pocket change and just give out keys for free.

In fact, I'm surprised Nadella hasn't been able to convince the rest of Microsoft to forget selling software licenses for the core Windows OS and go all in on Desktop-as-a-Service or Operative-system-as-a-Service or whatever other XxxS naming they come up with to mean "You rent your computing experience from us instead of buying outright"

It's more profitable and a better way to lock in people into giving you monthly payments than to try and sell a one time license: If they would just roll up the Windows Licensing along with the office 365 without raising the price much (So still under 10 bucks per month) they'd make money hand-over-fists.

(About to give them more evil ideals so forewarned is foretold) They could even just remove the same features they remove with the non-active OS version from all initial sales and tell people "Hey, these additional features like wallpapers, remote desktop, etc. Are part of our Windows365 bundle and you get all of the office apps with em too and 1 tb of onedrive to have free backups done authomagically for you, only 5 bucks per month!" That would be the money making scheme of a lifetime for them.
I'm rather eager to know, in detail, about how companies are able to secure those "ridiculously generous pricing" for Windows licenses ... Sounds like a business opportunity? Hmu in DMs if you can :)
 

dacoll

Posts: 19   +7
Dimitriid and Ecurb are doing it wrong

With a single Windows 10 Pro License on one computer, I installed and activated 2 copies of Windows 11 Pro as "Windows 2 Go" installations

I can run all 3 copies of Windows on 3 separate computers with different hardware and all 3 copies remain activated and are getting updates

All 3 were online at the same time without problems

That's 3 copies of Windows, all activated from a single license, on 3 different machines

If Windows 11 ever stops getting updates on my 10 year old computers, I can simply use Windows 10 Pro on all 3 systems with the same method

Mine also quite awsome, 10 yrs old license key from my office PC, that never upgraded back then due to XP compatibility problem on some of our core company apps, can still be activated this year
 

Bp968

Posts: 251   +175
Why would you need an activator? Go rip a Win7 serial off an older machine and install Microsoft's media creation tool to update to Win10. It's not very difficult.
Ive been using the same 4-5 windows 7 keys over *dozens* of installs now. This is definitely the route to take.
 

captaincranky

Posts: 18,545   +7,387
Activators at this point are sort of a newbie trap anyway: If anyone would be so inclined by say, being super frustrated with Microsoft expecting a full new license every time you switch motherboards or processors even if they're exact models you replaced through RMA, well if that happens then this hypothetical person would quickly find that there's *a lot of people* who have either small businesses or big organizations that don't care much with users that basically share valid keys for free that can activate 10 successfully.
When the 1st Windows, ( XP ), required activation, I recall reading about a "point system", with the mobo having the most influence on your ability to reactivate after modification..

However, pre-builts supplied with XP images and not actual copies of a Windows were most likely to experience this after an attempted board R & R..Keep in mind those boards are "protected", by an administrative password in the BIOS at the factory

Speaking from my own experience with a home built PC and an OEM copy of Windows, I trashed a board, and easily obtained a re-activation, with all other parts of the system being the same.

Is Windows 10 different? I have absolutely no idea.

I did have an experience when I installed a new video card in a machine which was offline, and then got a notice from M$, claiming, "my copy of Windows might might be illegal". I typed in the code from my (OEM) copy of Windows, and the "stolen" nonsense quickly went away.