BitRAT Spreads as Windows 10

Analysts from AhnLab, a company specialized in cybersecurity, revealed the spread of a new but already known virus called BitRAT.

What is BitRAT?

BitRAT, a malware classified as a Remote Access Trojan (RAT) is being distributed to users looking to activate pirated Windows Operating System (OS) versions for free using unofficial Microsoft license activators. 

The BitRAT is marketed as a powerful, low-cost, and adaptable malware that can steal a variety of sensitive data from the host, launch DDoS assaults, and bypass user account control (UAC), among other things.

BitRAT supports generic keylogging, audio recording, clipboard monitoring, credential theft from web browsers, webcam access, XMRig coin mining, and several additional features.

Fake activation

In reality, these activators are malicious and laden with the BitRAT malware. A malicious file, advertised as a Windows 10 activator and named ‘W10DigitalActiviation.exe’, comes with a simple GUI with a button to activate Windows 10. Instead of Windows activation, this will download the malware from a threat actor’s hardcoded command and control server. The retrieved payload is BitRAT, which will be installed as ‘Software Reporter Tool.exe’ in the %TEMP% folder and appended to the Startup folder. Exclusions for Windows Defender were included by the attacker for hiding the BitRAT malware. Once the malware is installed, the downloader deletes itself from the infected system and leaves behind only BitRAT. The threat actors behind the campaign seem out of Korea. This is suspected based on the distribution manner and the presence of some Korean characters in the code snippets.


Using pirated OS is never safe, and seeking activators may lead to malware infections such as BitRAT. Thus, experts strongly recommend avoiding activator tools and visiting websites offering such tools for activating Windows. Further, always use reliable anti-malware solutions to stay protected from such threats.