Hacker arrested for KMSAuto malware campaign with 2.8 million downloads

Published:

29 december 2025 om 19:25:29

Alert date:

29 december 2025 om 20:02:07

Source:

bleepingcomputer.com

Ransomware & Malware, Operating Systems

A Lithuanian national was arrested for distributing clipboard-stealing malware disguised as KMSAuto, a tool for illegally activating Windows and Office software. The malware campaign infected approximately 2.8 million systems worldwide. The malware targeted cryptocurrency clipboard operations, stealing digital assets from victims. This represents a significant supply chain-style attack using popular pirated software as a distribution vector. The arrest highlights the global reach of cybercriminal operations and law enforcement cooperation in addressing large-scale malware campaigns.

Technical details

A 29-year-old Lithuanian national distributed malware disguised as KMSAuto tool for illegally activating Windows and Office software. The malware was clipper malware that scanned clipboard contents for cryptocurrency addresses and replaced them with attacker-controlled addresses. From April 2020 to January 2023, 2.8 million copies were distributed worldwide. The malware targeted at least six cryptocurrency exchanges and resulted in theft of approximately $1.2 million in 8,400 transactions from users of 3,100 virtual asset addresses.

Mitigation steps:

Avoid using unofficial software product activators and any Windows executables that aren't digitally signed and whose source or integrity cannot be validated. Do not use illegal software that violates copyright as such tools can introduce malware into the system.

Affected products:

KMSAuto
Windows
Microsoft Office
Cryptocurrency wallets