Monday, May 5, 2025
Homecyber securityBeware of Fake KMSPico Activators that Deliver Vidar Stealer Malware

Beware of Fake KMSPico Activators that Deliver Vidar Stealer Malware

Published on

SIEM as a Service

Follow Us on Google News

Researchers detected an attack involving a fake KMSPico activator tool, which delivered Vidar Stealer through several events.

The attack leveraged Java dependencies and a malicious AutoIt script to disable Windows Defender and decrypt the Vidar payload via the shellcode.

The user performed a web search for KMSPico and browsed to the top result (kmspico[.]ws), which is marketed as a “universal activator” for Windows but appears to no longer be maintained.

- Advertisement - Google News

The site is hosted behind Cloudflare Turnstile and requires human input to download the final Zip package, a tactic to hide the page and final payload from automated web crawlers.

fake KMSPico activator
fake KMSPico activator

The Malicious Package

The ZIP archive contains Java dependencies and the malicious executable Setuper_KMS-ACTIV.exe.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Upon launching the executable, javaw.exe starts, disabling behavior monitoring in Windows Defender and dropping the malicious AutoIt script named “x” along with AutoIt named Flour.pif.

AutoIt named Flour.pif.
AutoIt named Flour.pif.

The AutoIt script contains the encrypted Vidar payload that will be injected into the current running AutoIt process.

The shellcode is responsible for decrypting the Vidar payload using the RC4 decryption algorithm, which is obfuscated by a hardcoded key in the malicious AutoIt script.

malicious AutoIt script.
malicious AutoIt script.

The Command and Control Infrastructure

Vidar Stealer uses Telegram for the Dead Drop Resolver (DDR) to store the C2 IP address.

Dead Drop Resolver (DDR) to store the C2 IP address
Dead Drop Resolver (DDR) to store the C2 IP address

Threat actors use a dead drop resolver to host command and control (C2) information on legitimate external web services. They embed and often obfuscate domains or IP addresses within content posted on sites and popular applications such as Telegram and Stealer, thus concealing the C2 infrastructure.

The Response

eSentire’s 24/7 SOC Cyber Analysts team isolated the affected host and notified the customer of suspicious activities, providing additional support and remediation.

This incident reminds us that malware-laden applications, particularly greyware piracy tools, are hidden in plain sight among web search results. It stresses the importance of user awareness to guard against such threats.

Using a fake KMSpico activator tool as a malware delivery vector highlights the importance of avoiding illegal software activators and ensuring that all software is obtained from legitimate sources.

The attack, which leveraged Java dependencies and a malicious AutoIt script to disable Windows Defender, underscores the necessity of maintaining up-to-date security software and implementing additional layers of defense to detect and prevent such malicious activities.

Recommendations

eSentire’s Threat Response Unit (TRU) recommends implementing the following controls to help secure your organization against Vidar Stealer malware:

  1. Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
  2. Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on emerging threats in the threat landscape.
  3. Encourage employees to use password managers instead of web browsers’ password storage features. Use master passwords where applicable.

Organizations can better protect themselves against the ever-evolving threat landscape by staying vigilant and following these recommendations.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...