Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.
This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn’t worth the risk.
KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.
According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much bigger than one would expect.
“We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems,” explained Red Canary intelligence analyst Tony Lambert.
“In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment.”