Add activator-kmspico.com to whitelist

[Co11yn]

Domain: activator-kmspico.com

Description

It recently came to my attention, that for unknown reasons my website got blacklisted by Phantom browser extension.
Visitors contacted us with complains they have issues reaching my content.

Website content

• No connection with cryptocurrency.
• Educational purpose website. It does not contain any download links or redirects.

Summary by CodeRabbit

• Chores
  • Updated domain whitelist to include activator-kmspico.com and nftplus.io.

[coderabbitai]

📝 Walkthrough

Walkthrough

A configuration file update to whitelist.yaml that removes and re-adds an existing domain entry (nftplus.io) and adds a new domain (activator-kmspico.com) to the whitelist.

Changes

Cohort / File(s)	Summary
Configuration Updates whitelist.yaml	Removed and re-added nftplus.io entry; appended new domain activator-kmspico.com with corrected line ending.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and accurately summarizes the main change—adding activator-kmspico.com to the whitelist, which matches the file changes and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@whitelist.yaml`:
- Line 34: Remove the dangerous entry by deleting the YAML key-value line that
lists the domain "activator-kmspico.com" (the '- url: activator-kmspico.com'
entry) from the whitelist.yaml; do not replace it with any other KMSPico-related
domain, and if needed add a short comment explaining removal for security
reasons (e.g., "removed — known malware distribution vector") so reviewers
understand why the 'url' entry was removed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

activator-kmspico.com malware security threat

💡 Result:

activator-kmspico.com should be treated as a high-risk security threat.

• The site is associated with KMSPico-style “Windows/Office activator” piracy, a category that is frequently used to distribute malware (not just “cracks”). Security reporting has documented trojanized KMSPico installers delivering credential/crypto-wallet stealers like CryptBot. [2], [3]
• Recent campaigns have also used fake KMSPico activators to deliver info-stealers such as Vidar Stealer, including tactics to evade automated scanning. [4]
• A reputation check rates activator-kmspico.com with an extremely low trust score, with hidden WHOIS and other scam-risk indicators. [1]

What to do

• Do not download or run anything from the site.
• If you already ran something: disconnect from the internet, run a full scan with Microsoft Defender (and ideally a second-opinion scanner), and change passwords (especially email/banking/crypto) from a known-clean device. [2], [3]

Sources: Scamadviser domain risk review [1]; BleepingComputer on malicious KMSPico installers/CryptBot [2]; The Hacker News on KMSPico-lure CryptBot theft [3]; Cyberpress report on fake KMSPico delivering Vidar Stealer [4].

---

🌐 Web query:

KMSPico piracy tool malware distribution

💡 Result:

KMSPico is a software piracy / license-circumvention “KMS activator” used to fraudulently activate Microsoft Windows/Office by emulating a KMS server locally. (redcanary.com)

Because people typically download it from untrusted crack sites, “KMSPico” is frequently used as a malware delivery lure, where attackers bundle or replace the activator with infostealers and other payloads. Documented examples include:

• CryptBot infostealer distributed via fake KMSPico installers (often installing the expected activator and the stealer so the victim doesn’t suspect anything). (redcanary.com)
• Malware campaigns disguised as activators (including KMSPico) that fetch/install Vidar stealer, stealing browser credentials/cookies and crypto-wallet data. (asec.ahnlab.com)

Microsoft also categorizes KMS-type activators under detections like HackTool:Win32/AutoKMS, warning not to use hacktools and noting they’re often associated with malware/unwanted software. (microsoft.com)

Bottom line: downloading/using KMSPico is both piracy and a high-risk malware vector; use legitimate activation/licensing instead. (redcanary.com)

Citations:

• 1: https://redcanary.com/blog/threat-intelligence/kmspico-cryptbot/?utm_source=openai
• 2: https://redcanary.com/blog/threat-intelligence/kmspico-cryptbot/?utm_source=openai
• 3: https://asec.ahnlab.com/en/17906/?utm_source=openai
• 4: https://www.microsoft.com/en-us/wdsi/threats/threat-search%3Fquery%3Dhacktool%3Awin32/autokms?utm_source=openai
• 5: https://redcanary.com/blog/threat-intelligence/kmspico-cryptbot/?utm_source=openai

---

🌐 Web query:

KMSPico security risk antivirus detection

💡 Result:

KMSPico (and similar “KMS activators”) is widely flagged by antivirus because it’s a license-bypass hack tool that performs system-level changes (e.g., altering activation/KMS-related settings), which overlaps with techniques used by malware—so many products classify it as HackTool/Riskware/PUP even when no additional payload is found. [1][2][3]

Why AV detects it

• It’s explicitly a cracking tool: Microsoft and multiple security vendors label KMS activators as “HackTool” used to patch/crack unlicensed Microsoft software. [2][3]
• High malware-bundling risk: KMSPico is commonly distributed via untrusted sites and is frequently repacked/trojanized (credential stealers, loaders, adware, etc.). This is a major reason defenders treat it as unsafe. [1][4]
• Suspicious persistence/OS modifications: Some KMS-related tools use registry/system tricks that defenders may detect as hijacking or tampering behavior. [5]

Is it a real security risk?

Yes—even if one copy were “clean,” the ecosystem is a high-risk malware delivery channel, and vendors repeatedly warn that malware is often distributed alongside these tools. [1][2][3]

What to do if you saw a detection

• Don’t disable AV to install it (that’s a common instruction from malicious installers). [4]
• Remove/quarantine it, run a full scan with a reputable endpoint product, and if you suspect you ran a bundled installer, consider password changes and (if compromise is likely) a clean OS reinstall.
• Use a genuine license instead.

Sources

[1] Malwarebytes Labs — HackTool.KMSpico detection info: https://www.malwarebytes.com/blog/detections/hacktool-kmspico
[2] Microsoft Security Intelligence — HackTool:Win32/AutoKMS threat entry/search results: https://www.microsoft.com/en-us/wdsi/threats/threat-search%3Fquery%3Dhacktool%3Awin32/autokms
[3] Trend Micro Threat Encyclopedia — Hacktool.Win32.AUTOKMS: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/hacktool.win32.autokms.thboebo
[4] ThreatDown (Malwarebytes) — “Is KMSPico safe?” explanation & detection names: https://www.threatdown.com/blog/kmspico-explained-no-kms-is-not-kill-microsoft/
[5] Malwarebytes Labs — RiskWare.IFEOHijack.KMS (registry hijack behavior): https://www.malwarebytes.com/blog/detections/riskware-ifeohijack-kms

---

🚨 Do not whitelist this domain — activator-kmspico.com is a documented malware distribution vector.

activator-kmspico.com is associated with KMSPico, a software piracy tool frequently used to distribute infostealers. Security research documents active campaigns delivering CryptBot and Vidar Stealer through trojanized KMSPico installers—both tools specifically target cryptocurrency wallet credentials and browser data. Domain reputation checks flag activator-kmspico.com with extremely low trust scores, hidden WHOIS registration, and scam indicators.

The PR author's claim that the site is "educational" with no downloads does not mitigate the risk:

1. The domain is actively associated with malware delivery campaigns, not theoretical risk.
2. Site content can change at any time after whitelisting—safe today does not mean safe tomorrow.
3. No security audit or VirusTotal analysis has been provided to substantiate the claim.

Whitelisting this domain in a cryptocurrency wallet's blocklist directly exposes users to theft of wallet keys and funds. This PR must be rejected.

🤖 Prompt for AI Agents

In `@whitelist.yaml` at line 34, Remove the dangerous entry by deleting the YAML
key-value line that lists the domain "activator-kmspico.com" (the '- url:
activator-kmspico.com' entry) from the whitelist.yaml; do not replace it with
any other KMSPico-related domain, and if needed add a short comment explaining
removal for security reasons (e.g., "removed — known malware distribution
vector") so reviewers understand why the 'url' entry was removed.