Beware of the KMSPico software used to activate Windows or Office

KMSPico is one of the most popular developments for “activating” licenses for Microsoft products such as Windows operating systems and Office suites. Of course, it is illegal, but it works very well in its hacking task as long as it does not come with a ‘prize’ as our very security colleagues alert us.

KMSPico is a cracker that emulates a Windows Key Management Services (KMS) server to activate Windows or Office licenses. It can be found on separate websites, forums, torrent networks, or bundled with hacked products. Microsoft does not seem very concerned about its use in consumption under the (unstated) strategy that it is always better to use pirated Windows before switching to Linux or macOS or installing a pirated Office before LibreOffice. It also offers specific offers for pirates.

This is the only way to understand the massive availability of this pirated software, which according to Red Canary, is also used in companies and many IT departments. It has been talked about a lot and is part of another story. The one that concerns us concerns the use of modified installers to distribute malware, which cybercriminals do insistently, taking advantage of any high-demand software or service.

KMSPico to distribute malware.

The security firm Red Canary they have alerted a fake KMSPico installer that is circulating on the Internet. It is altered to infect Windows computers, and it is capable of inserting malware and performing malicious activities such as theft of cryptocurrency wallets.


The malicious development is delivered in a self-extracting executable under 7-Zip that includes and installs the actual KMS emulator so that the victim is not suspicious. But behind, the real intention is to install Cryptobot, and a Trojan specialized in stealing the credentials and sensitive information of a list of applications that millions of users use, especially web browsers and cryptocurrency wallets such as :

  • Atomic
  • Avast Secure
  • Brave
  • Ledger Live
  • Opera Web
  • Waves Client y Exchange
  • Coinomi
  • Google Chrome
  • Jaxx Liberty
  • Electron Cash
  • Electrum
  • Exodus
  • Currency
  • MultiBitHD
  • Mozilla Firefox
  • CCleaner
  • Vivaldi

The malware uses the CypherIT packager, which muddies the installer to prevent the installed security software from detecting it. It also launches a hidden script capable of detecting sandbox environments and AV emulation. Cryptbot operations are not based on unencrypted binaries on disk, and their detection is only possible by monitoring malicious behavior, such as the execution of PowerShell commands or external network communication.


Big fan of the video game and Tech Industry, I also consider myself quite a techie, so I always try to be up to date on all technical information.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button