What you need to know
- Hackers are utilizing a fake version of KMSPico to spread Cryptbot malware to PCs.
- The authentic version of KMSPico is a tool used by pirates to bypass Windows and Office license requirements.
- The attack is particularly dangerous because using KMSPico often requires people to disable antimalware software.
A popular pirating tool is being imitated by malicious actors in an attempt to spread malware. According to a report by Red Canary from December 2, 2021, fake versions of KMSPico have been utilized to get malware onto PCs. If someone allows their system to be compromised by the fake software, the Cryptbot malware can steal credentials.
KMSPico is a tool used to circumvent license fees for Windows and Office. It uses Windows Key Management Services — a tool frequently used for legitimate reasons by enterprise clients — to fraudulently activate software.
Because KMSPico is used to pirate software, many antimalware tools flag it as a potentially unwanted program (PUP). Because of this, pirates will often disable security features to use KMSPico. This makes a fake version of the software is especially dangerous, as PC owners may have voluntarily left themselves defenseless.
Cryptbot can collect sensitive information from the following applications:
- Atomic cryptocurrency wallet
- Avast Secure web browser
- Brave browser
- Ledger Live cryptocurrency wallet
- Opera Web Browser
- Waves Client and Exchange cryptocurrency applications
- Coinomi cryptocurrency wallet
- Google Chrome web browser
- Jaxx Liberty cryptocurrency wallet
- Electron Cash cryptocurrency wallet
- Electrum cryptocurrency wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD cryptocurrency wallet
- Mozilla Firefox web browser
- CCleaner web browser
- Vivaldi web browser
Red Canary suggests that PC owners activate software through legitimate means. "A pirate's life is not the life for us, especially when it comes to cracked software. KMSPico is license-circumvention software that can be spoofed in a variety of ways, and in this case a malicious version led to an interesting Cryptbot infection designed to steal credentials." The report concludes by saying, "save yourself the trouble and go for legitimate, supported activation methods."
Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org.
AHAHAHAH no. I'll still pirate, because **** Microsoft, and I'd much rather be a pirate than a peasant buying **** lololol. Everyone, sing with me:
"Yarr har fiddle dee dee
Being a pirate is alright to be
Do what you want cause a pirate is free
You are a pirate!"
Also, if you want to pirate, read this: https://www.reddit.com/r/Piracy/wiki/megathread . There's tons of information about how to pirate safely, so you don't have to be scared about bullshit stuff like this.
But you can get windows kleys for good prices if you look in the right place and they are legal, so why bother to pirate windows?
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.