If you are thinking of sailing the high seas and living the life of a pirate when it comes to Windows 10 or 11, you better think twice.
Cryptobot, a cryptocurrency malware that steals wallet and account credentials, is now using the popular pirated Windows activation tool KMSPico to piggyback its way into your system.
KMSPico tricks Windows Key Management Services (KMS) into authenticating your copy of Windows as genuine. It also works with editions of Microsoft Office.
According to Red Canary, threat actors are targeting the “pirate community” by tainting the activation wool with Cryptobot. While software downloaded from KMSPico's official site was not found to be infected, it isn't easy to distinguish between the official and fake sites.
When a user downloads the infected software, Cryptobot is silently installed using background processes. Once in the system, Cryptobot starts collecting crypto wallet credentials and account details.
What is more worrying is that Red Canary has noticed several IT administrators using KMSPico to activate systems in offices.
“We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems," writes Red Canary's Tony Lambert.
"In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment."