Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious KMSPico Installers Steal Your Cryptocurrency Wallets

Malicious KMSPico Installers Steal Your Cryptocurrency Wallets

Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.

This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn’t worth the risk.

KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.

According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much bigger than one would expect.

“We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems,” explained Red Canary intelligence analyst Tony Lambert. 

“In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment.”

Also Read: The Competency Framework: A Guide for Managers and Staff

Tainted product activators

KMSPico is commonly distributed through pirated software and cracks sites that wrap the tool in installers containing adware and malware.

As you can see below, there are numerous sites created to distribute KMSPico, all claiming to be the official site.

Most Google Search results for KMSPico return sites that claim to be official
Most Google Search results are sites that claim to be official

A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.

“The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico,” explains a technical analysis of the campaign,

“The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.”

The malware is wrapped by the CypherIT packer that obfuscates the installer to prevent it from being detected by security software. This installer then launches a script that is also heavily obfuscated, which is capable of detecting sandboxes and AV emulation, so it won’t execute when run on the researcher’s devices.

Also Read: Personal Data Protection Act Australia

Obfuscated code of Cryptbot
Obfuscated code of Cryptbot
Source: Red Canary

Moreover, Cryptobot checks for the presence of “%APPDATA%\Ramson,” and executes its self-deletion routine if the folder exists to prevent re-infection.

The injection of the Cryptbot bytes into memory occurs through the process hollowing method, while the malware’s operational features overlap with previous research findings.

In summary, Cryptbot is capable of collecting sensitive data from the following apps:

  • Atomic cryptocurrency wallet
  • Avast Secure web browser
  • Brave browser
  • Ledger Live cryptocurrency wallet
  • Opera Web Browser
  • Waves Client and Exchange cryptocurrency applications
  • Coinomi cryptocurrency wallet
  • Google Chrome web browser
  • Jaxx Liberty cryptocurrency wallet
  • Electron Cash cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet
  • MultiBitHD cryptocurrency wallet
  • Mozilla Firefox web browser
  • CCleaner web browser
  • Vivaldi web browser

Because Cryptbot’s operation doesn’t rely on the existence of unencrypted binaries on the disk, detecting it is only possible by monitoring for malicious behavior such as PowerShell command execution or external network communication.

Red Canary shares the following four key points for threat detection:

  • binaries containing AutoIT metadata but don’t have “AutoIT” in their filenames
  • AutoIT processes making external network connections
  • findstr commands similar to findstr /V /R “^ … $
  • PowerShell or cmd.exe commands containing rd /s /q, timeout, and del /f /q together

In summary, if you thought that KSMPico is a smart way to save on unnecessary licensing costs, the above illustrates why that’s a bad idea.

The reality is that the loss of revenue due to incident response, ransomware attacks, and cryptocurrency theft from installing pirated software could be more than the cost of the actual Windows and Office licenses.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us