{ "id": "573a9e57-1768-4de1-adad-13f73e732bb2", "created_at": "2026-04-06T00:10:54.938554Z", "updated_at": "2026-04-10T03:37:41.131994Z", "deleted_at": null, "sha1_hash": "b095e1028c04bff020950b83cf4a2b4427c5de6b", "title": "BitRAT malware now spreading as a Windows 10 license activator", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2448168, "plain_text": "BitRAT malware now spreading as a Windows 10 license activator\r\nBy Bill Toulas\r\nPublished: 2022-03-21 · Archived: 2026-04-05 21:11:07 UTC\r\nA new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS\r\nversions for free using unofficial Microsoft license activators.\r\nBitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime\r\naccess) to any cybercriminal who wants it.\r\nAs such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or\r\ntrojanized software. \r\nhttps://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nTargeting pirates with malware\r\nIn a new BitRAT malware distribution campaign discovered by researchers at AhnLab, threat actors are distributing the\r\nmalware as a Windows 10 Pro license activator on webhards.\r\nWebhards are online storage services popular in South Korea that have a steady influx of visitors from direct download links\r\nposted on social media platforms or Discord. Due to their wide use in the region, threat actors are now more\r\ncommonly using webhards to distribute malware.\r\nThe actor behind the new BitRAT campaign appears to be Korean based on some of the Korean characters in the code\r\nsnippets and the manner of its distribution.\r\nPost promoting the BitRAT dropping Windows activator (ASEC)\r\nTo properly use Windows 10, you need to purchase and activate a license with Microsoft. While there are ways to get\r\nWindows 10 for free, you still need a valid Windows 7 license to get the free upgrade.\r\nThose who do not want to deal with licensing issues or do not have a license to upgrade commonly turn to pirating Windows\r\n10 and using unofficial activators, many of which contain malware.\r\nIn this campaign, the malicious file promoted as a Windows 10 activator is named 'W10DigitalActiviation.exe' and features\r\na simple GUI with a button to \"Activate Windows 10.\"\r\nhttps://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/\r\nPage 3 of 5\n\nThe malware downloader posing as a Windows activator (ASEC)\r\nHowever, instead of activating the Windows license on the host system, the \"activator\" will download malware from a\r\nhardcoded command and control server operated by the threat actors.\r\nThe fetched payload is BitRAT, installed in %TEMP% as ‘Software_Reporter_Tool.exe’ and added to the Startup folder. The\r\ndownloader also adds exclusions for Windows Defender to ensure that BitRAT won’t encounter detection issues.\r\nOnce the malware installation process is completed, the downloader deletes itself from the system leaving behind only\r\nBitRAT.\r\nThe downloader fetching the BitRAT payload (ASEC)\r\nA versatile RAT\r\nBitRAT is promoted as a powerful, inexpensive, and versatile malware that can snatch a wide range of valuable information\r\nfrom the host, perform DDoS attacks, UAC bypass, etc.\r\nBitRAT supports generic keylogging, clipboard monitoring, webcam access, audio recording, credential theft from web\r\nbrowsers, and XMRig coin mining functionality.\r\nAdditionally, it offers remote control for Windows systems, hidden virtual network computing (hVNC), and reverse proxy\r\nthrough SOCKS4 and SOCKS5 (UDP). On that front, ASEC’s analysts have found strong code similarities with TinyNuke,\r\nand its derivative, AveMaria (Warzone).\r\nThe hidden desktop feature on these RATs is so valuable that some hacking groups, like the Kimsuky, incorporated them in\r\ntheir arsenal just to use the hVNC tool.\r\nRisk of piracy\r\nEven if the legal and ethical aspects are ignored, using pirated software is always a security gamble.\r\nhttps://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/\r\nPage 4 of 5\n\nThe more tools are used to activate illegally obtained copies of software or crack their intellectual property protection\r\nsystems, the greater the chances of ending up with a nasty malware infection.\r\nThose who can’t afford to purchase a Windows license should look at alternative options instead, such as accepting the\r\nlimitations of the free version, monitoring for special offers from trustworthy platforms, or using Linux.\r\nUltimately, users should not trust license activators and any unsigned executable authored and released by unknown vendors\r\nto run on your system.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/\r\nhttps://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/" ], "report_names": [ "bitrat-malware-now-spreading-as-a-windows-10-license-activator" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b095e1028c04bff020950b83cf4a2b4427c5de6b.pdf", "text": "https://archive.orkl.eu/b095e1028c04bff020950b83cf4a2b4427c5de6b.txt", "img": "https://archive.orkl.eu/b095e1028c04bff020950b83cf4a2b4427c5de6b.jpg" } }