KMSPico tricks Windows Key Management Services into authenticating your copy of Windows as genuine. It also works with editions of Microsoft Office.
When a user downloads the infected software, Cryptobot is silently installed using background processes. Once in the system, Cryptobot starts collecting crypto wallet credentials and account details.
According to Red Canary, threat actors are targeting the “pirate community” by infecting the activation tool with Cryptobot. Red Canary’s Tony Lambert also stated that it is observed that several IT departments are using KMSPico instead of legitimate Microsoft licenses to activate systems.
Cryptobot also tries to steal information from Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi web browsers and the CCleaner system management tool, which makes it clear that crypto enthusiasts are high-value targets.