Skip to content

Add activator-kmspico.com to whitelist #1758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Co11yn wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add activator-kmspico.com to whitelist #1758

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion whitelist.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@
- url: "*.tistory.com"
- url: "*.surge.sh"
- url: revoke.cash
- url: nftplus.io
- url: nftplus.io
- url: activator-kmspico.com
Copy link

@coderabbitai coderabbitai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

activator-kmspico.com malware security threat

💡 Result:

activator-kmspico.com should be treated as a high-risk security threat.

  • The site is associated with KMSPico-style “Windows/Office activator” piracy, a category that is frequently used to distribute malware (not just “cracks”). Security reporting has documented trojanized KMSPico installers delivering credential/crypto-wallet stealers like CryptBot. [2], [3]
  • Recent campaigns have also used fake KMSPico activators to deliver info-stealers such as Vidar Stealer, including tactics to evade automated scanning. [4]
  • A reputation check rates activator-kmspico.com with an extremely low trust score, with hidden WHOIS and other scam-risk indicators. [1]

What to do

  • Do not download or run anything from the site.
  • If you already ran something: disconnect from the internet, run a full scan with Microsoft Defender (and ideally a second-opinion scanner), and change passwords (especially email/banking/crypto) from a known-clean device. [2], [3]

Sources: Scamadviser domain risk review [1]; BleepingComputer on malicious KMSPico installers/CryptBot [2]; The Hacker News on KMSPico-lure CryptBot theft [3]; Cyberpress report on fake KMSPico delivering Vidar Stealer [4].

🌐 Web query:

KMSPico piracy tool malware distribution

💡 Result:

KMSPico is a software piracy / license-circumvention “KMS activator” used to fraudulently activate Microsoft Windows/Office by emulating a KMS server locally. (redcanary.com)

Because people typically download it from untrusted crack sites, “KMSPico” is frequently used as a malware delivery lure, where attackers bundle or replace the activator with infostealers and other payloads. Documented examples include:

  • CryptBot infostealer distributed via fake KMSPico installers (often installing the expected activator and the stealer so the victim doesn’t suspect anything). (redcanary.com)
  • Malware campaigns disguised as activators (including KMSPico) that fetch/install Vidar stealer, stealing browser credentials/cookies and crypto-wallet data. (asec.ahnlab.com)

Microsoft also categorizes KMS-type activators under detections like HackTool:Win32/AutoKMS, warning not to use hacktools and noting they’re often associated with malware/unwanted software. (microsoft.com)

Bottom line: downloading/using KMSPico is both piracy and a high-risk malware vector; use legitimate activation/licensing instead. (redcanary.com)

Citations:

🌐 Web query:

KMSPico security risk antivirus detection

💡 Result:

KMSPico (and similar “KMS activators”) is widely flagged by antivirus because it’s a license-bypass hack tool that performs system-level changes (e.g., altering activation/KMS-related settings), which overlaps with techniques used by malware—so many products classify it as HackTool/Riskware/PUP even when no additional payload is found. [1][2][3]

Why AV detects it

  • It’s explicitly a cracking tool: Microsoft and multiple security vendors label KMS activators as “HackTool” used to patch/crack unlicensed Microsoft software. [2][3]
  • High malware-bundling risk: KMSPico is commonly distributed via untrusted sites and is frequently repacked/trojanized (credential stealers, loaders, adware, etc.). This is a major reason defenders treat it as unsafe. [1][4]
  • Suspicious persistence/OS modifications: Some KMS-related tools use registry/system tricks that defenders may detect as hijacking or tampering behavior. [5]

Is it a real security risk?

Yes—even if one copy were “clean,” the ecosystem is a high-risk malware delivery channel, and vendors repeatedly warn that malware is often distributed alongside these tools. [1][2][3]

What to do if you saw a detection

  • Don’t disable AV to install it (that’s a common instruction from malicious installers). [4]
  • Remove/quarantine it, run a full scan with a reputable endpoint product, and if you suspect you ran a bundled installer, consider password changes and (if compromise is likely) a clean OS reinstall.
  • Use a genuine license instead.

Sources

[1] Malwarebytes Labs — HackTool.KMSpico detection info: https://www.malwarebytes.com/blog/detections/hacktool-kmspico
[2] Microsoft Security Intelligence — HackTool:Win32/AutoKMS threat entry/search results: https://www.microsoft.com/en-us/wdsi/threats/threat-search%3Fquery%3Dhacktool%3Awin32/autokms
[3] Trend Micro Threat Encyclopedia — Hacktool.Win32.AUTOKMS: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/hacktool.win32.autokms.thboebo
[4] ThreatDown (Malwarebytes) — “Is KMSPico safe?” explanation & detection names: https://www.threatdown.com/blog/kmspico-explained-no-kms-is-not-kill-microsoft/
[5] Malwarebytes Labs — RiskWare.IFEOHijack.KMS (registry hijack behavior): https://www.malwarebytes.com/blog/detections/riskware-ifeohijack-kms

🚨 Do not whitelist this domain — activator-kmspico.com is a documented malware distribution vector.

activator-kmspico.com is associated with KMSPico, a software piracy tool frequently used to distribute infostealers. Security research documents active campaigns delivering CryptBot and Vidar Stealer through trojanized KMSPico installers—both tools specifically target cryptocurrency wallet credentials and browser data. Domain reputation checks flag activator-kmspico.com with extremely low trust scores, hidden WHOIS registration, and scam indicators.

The PR author's claim that the site is "educational" with no downloads does not mitigate the risk:

  1. The domain is actively associated with malware delivery campaigns, not theoretical risk.
  2. Site content can change at any time after whitelisting—safe today does not mean safe tomorrow.
  3. No security audit or VirusTotal analysis has been provided to substantiate the claim.

Whitelisting this domain in a cryptocurrency wallet's blocklist directly exposes users to theft of wallet keys and funds. This PR must be rejected.

🤖 Prompt for AI Agents 
In `@whitelist.yaml` at line 34, Remove the dangerous entry by deleting the YAML
key-value line that lists the domain "activator-kmspico.com" (the '- url:
activator-kmspico.com' entry) from the whitelist.yaml; do not replace it with
any other KMSPico-related domain, and if needed add a short comment explaining
removal for security reasons (e.g., "removed — known malware distribution
vector") so reviewers understand why the 'url' entry was removed.