Typosquatted Windows Activation Domain Used to Spread PowerShell Malware

Summary

In late 2025, cybersecurity researchers observed a typosquatted domain impersonating Microsoft Activation Scripts (MAS) being used to distribute malicious PowerShell scripts that lead to the execution of Cosmali Loader, a stealthy malware loader.

Attackers set up a look-alike site - differing from the legitimate domain by a single character - to trick administrators, developers, and system integrators into executing commands that inadvertently download and launch malware. This technique exploits trust in known tooling and user assumptions about domain legitimacy - a classic yet highly effective social engineering tactic in cybercrime.

Technical Analysis

Typosquatting is a form of domain deception where attackers register domains that are visually or typographically similar to legitimate ones. In this case, the fake domain get.activate[.]win closely mimics the legit MAS Windows activation host get.activated[.]win, differing by a single omitted letter - a small mistake that has major consequences when PowerShell commands are blindly executed.

Once the victim executes a script from the fake domain, PowerShell - a trusted system automation framework in Windows - operates with existing privileges and can fetch and run additional malicious code. Because PowerShell is a legitimate administrative tool, many traditional defenses can fail to detect the activity. Analysts have noted that such scripts often operate in memory and avoid writing permanent payloads to disk, complicating detection.

What To Do Now

To defend against this type of threat:

• Never run scripts from domains or sources you do not fully verify.
• Use strict allowlists for PowerShell execution and enable script block logging with Group Policy.
• Educate users and administrators about risks associated with copying and pasting commands from informal sources.
• Employ endpoint detection solutions that monitor unusual PowerShell invocations and network interactions.

In enterprise environments, consistent application of security baselines and least-privilege practices significantly reduces the risk surface exploited by script-based malware.

IOC and Vectors

Indicators and attack vectors include:

• Domain: get.activate[.]win - typosquatted activation script host
• Execution: PowerShell command invocation triggered by user run scripts
• Payload: Cosmali Loader (malware loader that may fetch secondary artifacts)
• User Behavior: Mistyped activation commands leading to unauthorized execution

These indicators should be prioritized for inclusion in threat intelligence feeds and SOC detection rules.

Verification Steps

To assess whether systems have been compromised by this technique:

1. Review PowerShell execution logs via Windows Event Viewer or centralized SIEM.
2. Check network logs for connections to domains with typographical variances (get.activate vs get.activated).
3. Validate system processes for unexpected PowerShell child processes.
4. Use forensic tools to detect Cosmali Loader artifacts or command patterns associated with the malicious script.