Data Security

Fake KPSPico Windows activator tool KPSPico steals crypto wallet data

The malware is dubbed CrypBot is essentially an information stealer that can obtain credentials for cryptocurrency wallets, browsers, credit cards, browser cookies, and capture screenshots from compromised devices.



Cybersecurity solutions provider Red Canary revealed in its recent blog post that a malicious KMSPico installer is carrying malware that can steal user information from cryptocurrency wallets, apart from other information.

What is KMSPico?

KMSPico is an unofficial MS Windows and Office tool used to illegally activate the full features of pirated software, such as MS Office, without paying for the license key. Therefore, the tool emulates Microsoft’s Key Management Services activation to circumvent the Windows license.

SEE: New malware lures fake Chrome update to attack Windows PCs

According to Red Canary, KMSPico isn’t only used by individuals to activate Windows software fraudulently, but numerous IT departments also use this tool. The consequences of using a malicious KMSPico could be drastic for organizations.

Researchers noted that many sites claiming to be official KMSPico creators are active on the web, so it is effortless for anyone to be trapped and download a malicious KMSPico.

Malicious websites pushing Fake KPSPico Windows activator

About Crypbot

The malware is dubbed CrypBot. It is essentially an information stealer that can obtain credentials for cryptocurrency wallets, browsers, credit cards, browser cookies, and capture screenshots from compromised devices.



According to Red Canary’s blog post, the malware is capable of stealing information from the following applications on Windows devices:

  • Atomic cryptocurrency wallet
  • Avast Secure web browser
  • Brave browser
  • Ledger Live cryptocurrency wallet
  • Opera Web Browser
  • Waves Client and Exchange cryptocurrency applications
  • Coinomi cryptocurrency wallet
  • Google Chrome web browser
  • Jaxx Liberty cryptocurrency wallet
  • Electron Cash cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet
  • MultiBitHD cryptocurrency wallet
  • Mozilla Firefox web browser
  • CCleaner web browser
  • Vivaldi web browser

The malware is deployed through cracked software, and in this particular campaign, it is distributed as KMSPico. The malware can collect information from a variety of applications and browsers. But, MS Edge isn’t one of them.

SEE: New Trickbot attack setup fake 1Password installer to extract data

Moreover, the malicious KMSPico can install the actual KMSPico file itself to prevent a user of an infected system from having suspicion. Another reason why attackers install KMSPico and CrypBot is to ensure that the victim remains busy and the malware can perform its malicious functions in the background.



Red Canary researcher Tony Lambert explained the attack scenario:

“The user becomes infected by clicking one of the malicious links and downloading either KMSPico, Cryptbot, or another malware without KMSPico. The adversaries install KMSPico also because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.”

Red Canary researchers urge users only to use legitimate Microsoft licenses to activate systems and beware of websites claiming to offer official versions of KMSPico activator.

To Top

Pin It on Pinterest

Share This