Thanks to Pieter Arntz and the Threat Intelligence Team who contributed to the research.
A hack tool is a program that allows users to activate software even without a legitimate, purchased key. Hack tools are often used to root devices in order to (among others) remove barriers that stop users from using apps from other markets. This is why the term “hack tool” is often interchanged with “crack tool” and “rooting program.”
Many seek such tools in the hopes of getting more control over their devices, or out of necessity if the software they want to use requires them. In this post, we’ll focus on one hack tool that has been a trusted tool for activating pirated copies of Microsoft products for free: KMSPico.
What is KMSPico?
KMSPico (often stylized as KMSPICO or KMS Pico) uses an unofficial key management services (KMS) server to activate Microsoft products—although several hack tools already do the same. Here are some of Malwarebytes’ detection of such tools:
KMSPico is one of the most (if not the most) popular software activation tools for Windows and Office Suite, with millions of global users and endorsers. Funnily enough, it also seems to have a lot of "official websites."
Searching for “official KMSpico site” on your favorite search engine will yield thousands of results, including pages of posts from various portals warning internet users not to download KMSPico from Website A or Website B as its malware. And they’re right.
Whatever KMSPico “official” website you find in your search results is undoubtedly fake, which leaves people wondering—or probably even believing—that KMSPico is a myth. This tool, however, is far from mythical. It does exist, and the latest version, 10.2.0, can only be downloaded from a members-only forum posted almost a decade ago.
How does it work?
To understand how KMSPico works, we should first understand how a KMS activation works.
KMS is a legitimate way to activate Windows licenses in client computers, especially en masse (volume activation). There is even a Microsoft document on creating a KMS activation host.
A KMS client connects to a KMS server (the activation host), which contains the host key the client uses for activation. Once KMS clients are validated, the Microsoft product on those clients contacts the server every 180 days (6 months) to maintain its validity. However, a KMS set-up is only viable for large organizations with Volume Licensed (VL) Microsoft products.
This is what KMSPico is trying to exploit. Once installed onto user clients, it changes a user’s retail version of their Microsoft to a “Volume Licensed” one by simply changing the key into a generic VL key. KMSPico then changes the default KMS server to an unofficial KMS server set up by the hack tool’s developer.
Note that if the KMSPico developer decides to kill the server, then whoever their users are would no longer have an activated version of their Microsoft product.
Why we don’t recommend it
Hack tools can be qualified as riskware, a category of software that may be risky to install on your computer or device. This is because a legitimate copy of the software may be bundled with adware, or it’s actually malware named after popular software. Such is the case for KMSPico.
On top of that, using KMSPico violates Microsoft’s ToS (terms of service) for its products.
Our 2021 State of Malware report found that hack tools plagued our consumer and enterprise clients for the previous two years.
Perhaps the most critical data we have of KMS hack tools are that they are ranked as a top threat for consumers (with a 2,118 percent growth) and enterprises (with a 2,251 percent growth). We attributed this to the sudden change in work life due to many moving to a work-from-home (WFH) set up during the COVID-19 pandemic. Many employees—and potentially even employers—resorted to using cracked versions of Microsoft products.
Finally, regarding software updates or patching, it’s also likely that KMSPico blocks any activated Microsoft product from “calling home.” If it does, then that would stop these products from getting updates or patches, and KMSPico users would be left with very vulnerable Microsoft software.
Does Malwarebytes detect KMSPico?
Yes. We detect components from the same toolset. So if you have downloaded the KMSPico tool, expect your Malwarebytes product to alert you of files detected as HackTool.KMSpico, CrackTool.KMSPico, or both.