Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

KMSAuto

KMSAuto is malware distributed by embedding malicious code into the widely circulated KMSAuto tool used for illegal activation of Windows and Microsoft Office. In the reported campaign, it functioned as clipper malware on Windows systems, monitoring clipboard contents for cryptocurrency wallet addresses and replacing copied destination addresses with attacker-controlled wallets. South Korean authorities stated the altered KMSAuto executable was downloaded about 2.8 million times worldwide between April 2020 and January 2023. The activity resulted in approximately 8,400 fraudulent transactions involving about 3,100 virtual asset addresses and theft estimated at KRW 1.7 billion (about $1.2 million). Investigators linked the campaign to a 29-year-old Lithuanian national who was later arrested and extradited to South Korea with Interpol coordination. The infection vector described in the reporting was pirated or unofficial software obtained from untrusted sources, specifically the KMSAuto activator. The campaign targeted cryptocurrency users, including activity affecting at least six cryptocurrency exchanges. Kaspersky also classifies KMSAuto as riskware and warns that pirated activation tools are commonly abused to distribute malware.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
securityaffairsNews
Jan 4, 2026
Security Affairs newsletter Round 557 by Pierluigi Paganini – INTERNATIONAL EDITION

Malware that has infected millions of systems, possibly related to illegal software activation and potentially used as a vector for further malicious payloads.

Read more
the hacker newsNews
Jan 1, 2026
ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories

Malware disguised as the KMSAuto Windows activation tool, used to steal virtual assets by monitoring and replacing clipboard contents (clipper functionality).

Read more
sentinelone blogNews
Jan 1, 2026
The Good, the Bad and the Ugly in Cybersecurity – Week 1

Malware disguised as a pirated software activator (KMSAuto) that steals cryptocurrency by swapping clipboard addresses, diverting funds to attacker-controlled wallets.

Read more
securityaffairsNews
Dec 30, 2025
Lithuanian suspect arrested over KMSAuto malware that infected 2.8M systems

KMSAuto is a Windows activation tool that was trojanized to distribute clipper malware. The malicious version monitors the clipboard for cryptocurrency addresses and replaces them with attacker-controlled addresses, enabling theft of cryptocurrency during transactions.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.