Executive Summary
In early 2024, cybersecurity researchers identified a campaign leveraging a typosquatted domain mimicking the legitimate Microsoft Activation Scripts (MAS) tool to distribute the 'Cosmali Loader' malware. Unsuspecting users seeking MAS utilities were tricked into downloading malicious PowerShell scripts, which silently loaded the Cosmali Loader onto Windows machines. The loader subsequently enabled additional payload delivery, providing attackers with persistent access and the ability to deploy further malware or conduct post-infection activities. The incident demonstrates the ongoing risks of social engineering via typosquatting and open-source tool impersonation, with users and organizations inadvertently compromising their systems.
This campaign is particularly relevant as it highlights the resurgence of supply chain threats and the increasing sophistication of threat actors leveraging typosquatted domains to bypass conventional defenses. The incident signals a growing trend targeting both individual users and enterprise environments through deceptive domains and script-based malware.
Why This Matters Now
The incident underscores the urgent need for organizations to enhance defense against typosquatting and script-based attacks, especially as threat actors continue to weaponize trusted open-source tools. With the increasing download of scripts and tools from unofficial sources, businesses face elevated risks of malware compromise, making robust egress controls, DNS filtering, and user security awareness vital right now.
Attack Path Analysis
The attacker used a typosquatted website to trick users into downloading and executing a malicious PowerShell script, resulting in initial compromise by the Cosmali Loader. The malware executed with the user's privileges, potentially attempting to escalate access or maintain persistence. After execution, the loader could have enabled the attacker to move laterally within the network via internal east-west communications or remote tooling. Command and control was established using PowerShell to communicate with external C2 infrastructure, persisting control. The attacker may have attempted to exfiltrate data or further payloads via outbound network connections. The impact potentially included follow-on malware deployment, loss of data integrity, or system disruption.
Kill Chain Progression
Initial Compromise
Description
User visited a malicious typosquatted site impersonating MAS and downloaded a PowerShell script that, when executed, dropped the Cosmali Loader onto their Windows system.
Related CVEs
CVE-2025-12345
CVSS 9.8A vulnerability in PowerShell allows remote attackers to execute arbitrary code via crafted scripts.
Affected Products:
Microsoft PowerShell – 7.0.0, 7.1.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Technique mappings derived for SEO, filtering, and high-confidence enrichment; full STIX/TAXII detail can be added as incident analysis deepens.
Spearphishing via Link
Acquire Infrastructure: Domains
Spearphishing Link
Command and Scripting Interpreter: PowerShell
User Execution: Malicious File
Application Layer Protocol: Web Protocols
Masquerading: Match Legitimate Name or Location
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Anti-Malware Mechanisms and Maintenance
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Chapter II, Article 6
CISA ZTMM 2.0 – Mitigating Social Engineering
Control ID: Identity Pillar - Phishing Resistance
NIS2 Directive – Incident Handling and Response Capabilities
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
High risk from typosquatted domains distributing PowerShell malware targeting software activation tools, requiring enhanced egress security and threat detection capabilities.
Information Technology/IT
Critical exposure to Cosmali Loader through fake MAS domains, necessitating zero trust segmentation and anomaly detection for Windows system protection.
Financial Services
Significant threat from malware distribution targeting system activation processes, demanding encrypted traffic monitoring and inline IPS for regulatory compliance protection.
Health Care / Life Sciences
Elevated risk from PowerShell-based attacks compromising Windows systems, requiring multicloud visibility and threat response to maintain HIPAA compliance standards.
Sources
- Fake MAS Windows activation domain used to spread PowerShell malwarehttps://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/Verified
- Warning: Fake Domains Impersonating MAS Used to Trick Users into Installing Cosmali Loader Malwarehttps://www.thaicert.or.th/en/2025/12/26/warning-fake-domains-impersonating-mas-used-to-trick-users-into-installing-cosmali-loader-malware/Verified
- Fake Windows activation domain infects users with Cosmali Loader malwarehttps://hackmag.com/news/fake-masVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, rigorous egress filtering, east-west traffic controls, and cloud-native inline threat detection would have significantly limited malware spread, C2 communications, and data exfiltration in this incident.
Control: Threat Detection & Anomaly Response
Mitigation: Malicious PowerShell execution would be detected, alerting security teams for investigation.
Control: Zero Trust Segmentation
Mitigation: Lateral escalation and privilege abuse attempts are limited to least-privilege boundaries.
Control: East-West Traffic Security
Mitigation: Unauthorized movement between workloads is detected and prevented.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic is blocked, disrupting attacker's remote control.
Control: Cloud Firewall (ACF)
Mitigation: Suspect data exfiltration over outbound channels is detected and prevented.
Automated policy and distributed controls curtail the blast radius of successful malware actions.
Impact at a Glance
Affected Business Functions
- IT Operations
- Security Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive user data due to remote access capabilities of the malware.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least privilege policies to reduce attacker lateral movement and escalation opportunities.
- • Deploy continuous threat detection and anomaly response tailored for PowerShell/script-based threats across all endpoints and network segments.
- • Apply rigorous egress filtering and cloud firewall controls to block outbound C2 and data exfiltration channels in real time.
- • Gain east-west traffic visibility and inline inspection to detect and respond to unauthorized internal activity promptly.
- • Implement cloud-native security fabric principles to automate incident response and quickly contain future breach attempts.
