Beware: Fake KMSPico Windows activator carries crypto wallet info stealing malware

Crypto wallets

Cybersecurity provider Red Canary has warned in a recent blog post that a malicious KMSPico installer is doing the rounds on the internet. This malware-carrying fake installer is capable of stealing user information from various cryptocurrency wallets, among other things. This is made possible with the help of a cryptbot.

Red Canary says that the cryptbot delivered by this malware is capable of collecting information from the following applications:

  • Atomic cryptocurrency wallet

  • Avast Secure web browser

  • Brave browser

  • Ledger Live cryptocurrency wallet

  • Opera Web Browser

  • Waves Client and Exchange cryptocurrency applications

  • Coinomi cryptocurrency wallet

  • Google Chrome web browser

  • Jaxx Liberty cryptocurrency wallet

  • Electron Cash cryptocurrency wallet

  • Electrum cryptocurrency wallet

  • Exodus cryptocurrency wallet

  • Monero cryptocurrency wallet

  • MultiBitHD cryptocurrency wallet

  • Mozilla Firefox web browser

  • CCleaner web browser

  • Vivaldi web browser

While there are several browsers on this list, Microsoft"s very own Edge isn"t one of them, sort of validating its recent claim of being better than Chrome, at least in this instance.

KMSPico is an unofficial Windows and Office activator that are used to activate pirated copies of Windows or Office. The tool essentially allows for illicit Windows license circumvention by emulating Mircosoft"s Key Management Services (KMS) activation.

Red Canary also notes that it is not just individuals who use KMSPico to fraudulently activate Windows as the firm says it has also noticed various IT departments using the tool. Hence, a malicious KMSPico is especially dangerous for such situations.

We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems.

It is also quite easy to fall for a malicious KMSPico as many sites claim themselves as official KMSPico creator as shown in the image below:

The malicious KMSPico also installs the actual KMSPico file itself so that a user of a compromised system may not even suspect anything fishy until it is too late.

The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.

You can find more technical details on the official blog post linked here.

Report a problem with article
Next Article

Last chance to land 5 years of Ivacy VPN for $1 per month

Previous Article

Get a 1-year subscription to TravelHacker Premium for only $23.40