{
	"id": "1cc52e6e-5d90-4f06-a4ac-1a3aaa7e8ec2",
	"created_at": "2026-04-06T00:19:37.464868Z",
	"updated_at": "2026-04-10T13:12:45.40424Z",
	"deleted_at": null,
	"sha1_hash": "4a6ce34e0f954c7525c3a6fe42474cacd5310445",
	"title": "BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40275,
	"plain_text": "BitRAT Malware Seen Spreading Through Unofficial Microsoft\r\nWindows Activators\r\nBy Vlad CONSTANTINESCU\r\nArchived: 2026-04-05 12:43:50 UTC\r\nBitRAT malware has launched a new campaign targeting people who try to activate pirated versions of Windows\r\noperating systems for free through unofficial license activators.\r\nThe criminals behind the campaign reportedly distribute the payloads in the guise of Windows 10 Pro license\r\nactivators and push them on webhards, online storage services popular in South Korea.\r\nWebhards are frequently used to create direct download links, which are then posted on communication platforms\r\nsuch as Discord and various social media services. Due to their widespread use and versatility, they have slowly\r\nbecome one of the most pervasive malware distribution channels among hackers.\r\nIn the newly discovered campaign, the malicious file, named W10DigitalActiviation.exe, mimics a simple, one-button unofficial Windows 10 activator. Upon pressing the faux “Activate Windows 10” button, victims trigger the\r\ndownload of the BitRATpayload, which is then deployed to %TEMP% as Software_Reporter_Tool.exe,\r\nconfigured to run at excluded from Windows Defender’s detection mechanisms.\r\nAfter the downloader performs the operations above, it deletes itself from the infected computer in an attempt to\r\nwipe its tracks.\r\nJudging from the campaign’s distribution manner and the presence of Korean characters in some of its code\r\nsnippets, security experts suspect Korean threat actors are behind the operation.\r\nBitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and\r\nforums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious\r\npayload spread.\r\nFurthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in\r\nvarious operations, such as trojanized software, phishing and watering hole attacks.\r\nBitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations,\r\nincluding data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam\r\naccess, credential theft, audio recording, XMRig coin mining and generic keylogging.\r\nSource: https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/"
	],
	"report_names": [
		"bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators"
	],
	"threat_actors": [],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a6ce34e0f954c7525c3a6fe42474cacd5310445.pdf",
		"text": "https://archive.orkl.eu/4a6ce34e0f954c7525c3a6fe42474cacd5310445.txt",
		"img": "https://archive.orkl.eu/4a6ce34e0f954c7525c3a6fe42474cacd5310445.jpg"
	}
}