Skip to main content

Hackers Are Disguising Cryptbot Malware as a Windows Activator

Batman
(Image credit: Shutterstock)

Software can be expensive. That's why some people decide to pirate apps instead of buying licenses for them, but according to Red Canary, hackers are using a fake version of a popular software piracy tool to spread the Cryptbot malware.

The tool in question is called KMSPico, which Red Canary said is used to "activate the full features of Microsoft Windows and Office products without actually owning a license key." Security tools usually block KMSPico, so it often comes with instructions for disabling those protections, thereby leaving systems vulnerable to malware.

Which brings us to Cryptbot. Red Canary said it "harms organizations by stealing credentials and other sensitive information from affected systems." The company said much of that private data is stolen from cryptocurrency-related software like:

  • Atomic cryptocurrency wallet
  • Ledger Live cryptocurrency wallet
  • Waves Client and Exchange cryptocurrency applications
  • Coinomi cryptocurrency wallet
  • Jaxx Liberty cryptocurrency wallet
  • Electron Cash cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet
  • MultiBitHD cryptocurrency wallet

Red Canary said that Cryptbot also tries to steal information from Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi web browsers and the CCleaner system management tool. But the extensive list of wallet software targeted by Cryptbot makes it clear that crypto enthusiasts are high-value targets.

As far as protecting against this scheme goes, it seems the best option is not to look for KMSPico downloads in the first place. "A pirate's life is not the life for us, especially when it comes to cracked software," Red Canary said. "Save yourself the trouble and go for legitimate, supported activation methods."