Dec 7, 2021
0 0

Fake KPSPico Windows activator tool KPSPico steals crypto wallet data

Written by

Tags, , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

Cybersecurity solutions provider Red Canary revealed in its recent blog post that a malicious KMSPico installer is carrying malware that can steal user information from cryptocurrency wallets, apart from other information.
KMSPico is an unofficial MS Windows and Office tool used to illegally activate the full features of pirated software, such as MS Office, without paying for the license key. Therefore, the tool emulates Microsoft’s Key Management Services activation to circumvent the Windows license.
SEE: New malware lures fake Chrome update to attack Windows PCs
According to Red Canary, KMSPico isn’t only used by individuals to activate Windows software fraudulently, but numerous IT departments also use this tool. The consequences of using a malicious KMSPico could be drastic for organizations.
Researchers noted that many sites claiming to be official KMSPico creators are active on the web, so it is effortless for anyone to be trapped and download a malicious KMSPico.
Malicious websites pushing Fake KPSPico Windows activator
The malware is dubbed CrypBot. It is essentially an information stealer that can obtain credentials for cryptocurrency wallets, browsers, credit cards, browser cookies, and capture screenshots from compromised devices.

According to Red Canary’s blog post, the malware is capable of stealing information from the following applications on Windows devices:
The malware is deployed through cracked software, and in this particular campaign, it is distributed as KMSPico. The malware can collect information from a variety of applications and browsers. But, MS Edge isn’t one of them.
SEE: New Trickbot attack setup fake 1Password installer to extract data
Moreover, the malicious KMSPico can install the actual KMSPico file itself to prevent a user of an infected system from having suspicion. Another reason why attackers install KMSPico and CrypBot is to ensure that the victim remains busy and the malware can perform its malicious functions in the background.

Red Canary researcher Tony Lambert explained the attack scenario:
“The user becomes infected by clicking one of the malicious links and downloading either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.”
Red Canary researchers urge users only to use legitimate Microsoft licenses to activate systems and beware of websites claiming to offer official versions of KMSPico activator.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom. is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.