Security News > 2021 > December > Malicious KMSPico installers steal your cryptocurrency wallets
Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.
KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services server to activate licenses fraudulently.
KMSPico is commonly distributed through pirated software and cracks sites that wrap the tool in installers containing adware and malware.
A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.
"The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico," explains a technical analysis of the campaign,.
"The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes."