{ "id": "4cc49811-f98b-4cd5-8ea1-acb82b0fa2b5", "created_at": "2026-04-06T00:17:38.120993Z", "updated_at": "2026-04-10T03:37:08.851962Z", "deleted_at": null, "sha1_hash": "38ef8819ad965c92db5f7ae86a2ef3988e365900", "title": "Malicious KMSPico installers steal your cryptocurrency wallets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3923706, "plain_text": "Malicious KMSPico installers steal your cryptocurrency wallets\r\nBy Bill Toulas\r\nPublished: 2021-12-04 · Archived: 2026-04-05 21:56:01 UTC\r\nThreat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency\r\nwallets.\r\nThis activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn't\r\nworth the risk.\r\nKMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services\r\n(KMS) server to activate licenses fraudulently.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much\r\nbigger than one would expect.\r\n\"We've observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems,\"\r\nexplained Red Canary intelligence analyst Tony Lambert. \r\n\"In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one\r\nenvironment due to the organization not having a single valid Windows license in the environment.\"\r\nTainted product activators\r\nKMSPico is commonly distributed through pirated software and cracks sites that wrap the tool in installers containing\r\nadware and malware.\r\nAs you can see below, there are numerous sites created to distribute KMSPico, all claiming to be the official site.\r\nMost Google Search results are sites that claim to be official\r\nA malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both\r\nan actual KMS server emulator and Cryptbot.\r\n\"The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another\r\nmalware without KMSPico,\" explains a technical analysis of the campaign,\r\n\"The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying\r\nCryptbot behind the scenes.\"\r\nhttps://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/\r\nPage 3 of 5\n\nThe malware is wrapped by the CypherIT packer that obfuscates the installer to prevent it from being detected by security\r\nsoftware. This installer then launches a script that is also heavily obfuscated, which is capable of detecting sandboxes and\r\nAV emulation, so it won't execute when run on the researcher's devices.\r\nObfuscated code of Cryptbot\r\nSource: Red Canary\r\nMoreover, Cryptobot checks for the presence of \"%APPDATA%\\Ramson,\" and executes its self-deletion routine if the folder\r\nexists to prevent re-infection.\r\nThe injection of the Cryptbot bytes into memory occurs through the process hollowing method, while the malware's\r\noperational features overlap with previous research findings.\r\nIn summary, Cryptbot is capable of collecting sensitive data from the following apps:\r\nAtomic cryptocurrency wallet\r\nAvast Secure web browser\r\nBrave browser\r\nLedger Live cryptocurrency wallet\r\nOpera Web Browser\r\nWaves Client and Exchange cryptocurrency applications\r\nCoinomi cryptocurrency wallet\r\nGoogle Chrome web browser\r\nJaxx Liberty cryptocurrency wallet\r\nElectron Cash cryptocurrency wallet\r\nElectrum cryptocurrency wallet\r\nExodus cryptocurrency wallet\r\nMonero cryptocurrency wallet\r\nMultiBitHD cryptocurrency wallet\r\nMozilla Firefox web browser\r\nCCleaner web browser\r\nVivaldi web browser\r\nBecause Cryptbot’s operation doesn’t rely on the existence of unencrypted binaries on the disk, detecting it is only possible\r\nby monitoring for malicious behavior such as PowerShell command execution or external network communication.\r\nRed Canary shares the following four key points for threat detection:\r\nbinaries containing AutoIT metadata but don’t have “AutoIT” in their filenames\r\nhttps://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/\r\nPage 4 of 5\n\nAutoIT processes making external network connections\r\nfindstr commands similar to findstr /V /R “^ … $\r\nPowerShell or cmd.exe commands containing rd /s /q, timeout, and del /f /q together\r\nIn summary, if you thought that KSMPico is a smart way to save on unnecessary licensing costs, the above illustrates\r\nwhy that's a bad idea.\r\nThe reality is that the loss of revenue due to incident response, ransomware attacks, and cryptocurrency theft from installing\r\npirated software could be more than the cost of the actual Windows and Office licenses.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/\r\nhttps://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/" ], "report_names": [ "malicious-kmspico-installers-steal-your-cryptocurrency-wallets" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38ef8819ad965c92db5f7ae86a2ef3988e365900.pdf", "text": "https://archive.orkl.eu/38ef8819ad965c92db5f7ae86a2ef3988e365900.txt", "img": "https://archive.orkl.eu/38ef8819ad965c92db5f7ae86a2ef3988e365900.jpg" } }