Typosquatted MAS Domain Distributes Cosmali Loader via PowerShell Scripts

A recently discovered typosquatted domain mimicking the legitimate Microsoft Activation Scripts (MAS) tool has been employed to distribute malicious PowerShell scripts. This deceptive domain redirected unsuspecting users to malicious files hosted on popular code repositories such as GitHub and GitLab. The malicious PowerShell scripts, once executed on a victim's system, would proceed to download and execute the Cosmali Loader. The Cosmali Loader is a sophisticated malware loader designed to facilitate the deployment of additional malicious payloads, thereby enabling attackers to customize their assault based on specific objectives. This particular campaign appears to target individuals actively searching for unofficial methods to activate Windows operating systems. By leveraging the allure of free or pirated software, attackers exploit the tendency of users to bypass legitimate channels, thereby increasing the likelihood of successful infection. The utilization of reputable platforms like GitHub and GitLab for hosting malicious files is a notable aspect of this campaign. These platforms are generally perceived as trustworthy by users and may not be immediately flagged by security software, making them an effective vector for malware distribution. From a cybersecurity perspective, this incident underscores several critical considerations. Firstly, the persistent threat posed by typosquatted domains necessitates continuous monitoring and user education to mitigate the risk of successful phishing and malware distribution campaigns. Secondly, the abuse of legitimate and trusted platforms for malicious purposes highlights the need for enhanced vigilance and robust monitoring systems capable of detecting and preventing such activities. Moreover, this incident serves as a stark reminder of the risks associated with seeking or using unofficial software. Users who engage in such practices not only expose themselves to potential malware infections but also contribute to the proliferation of cybercriminal activities. In terms of actionable intelligence, cybersecurity professionals are advised to ensure that their monitoring systems are adequately configured to detect typosquatted domains and suspicious activities on code repositories. Additionally, comprehensive user education programs should emphasize the risks of downloading unofficial software and the importance of verifying the legitimacy of domains and sources. However, it is important to note that the original article does not provide specific details regarding the number of victims or the exact duration of the campaign. As such, while the technical context and implications are clear, some operational details remain undisclosed.