A BitRAT malware campaign is actively targeting users looking for unofficial Windows license activators. These license activators are meant to activate pirated Windows OS versions.

Use of fake activators 

Researchers from AhnLab have spotted a phishing campaign spreading Windows 10 Pro license activators on webhard. In reality, these activators are malicious and laden with the BitRAT malware.
  • A malicious file, advertised as a Windows 10 activator and named 'W10DigitalActiviation.exe', comes with a simple GUI with a button to activate Windows 10. Instead of Windows activation, this will download the malware from C2.
  • Once the malware is installed, the downloader deletes itself from the infected system and leaves behind only BitRAT.
  • The threat actors behind the campaign seem to be based out of Korea. This is suspected on the basis of the distribution manner and presence of some Korean characters in the code snippets.

About BitRAT 

BitRAT is advertised as a powerful, versatile, and inexpensive malware that can steal valuable information from the host. Additionally, the RAT can perform DDoS attacks and UAC bypass.
  • BitRAT supports generic keylogging, audio recording, clipboard monitoring, credential theft from web browsers, webcam access, XMRig coin mining, and several additional features.
  • Furthermore, it offers hidden virtual network computing (hVNC), remote control for Windows systems, and a reverse proxy feature that uses SOCKS4 and SOCKS5 (UDP).

Connections and links

Researchers have discovered strong code similarities with TinyNuke and AveMaria (Warzone). Further, hacker groups such as Kimsuky used the hidden desktop feature of this RAT to use hVNC tools.


Using pirated OS is never safe and seeking activators may lead to malware infections such as BitRAT. Thus, experts strongly recommend avoiding activator tools and visiting websites offering such tools for activating Windows. Further, always use reliable anti-malware solutions to stay protected from such threats.
Cyware Publisher