Beware of this fake Windows 11 update: bypasses antivirus and empties accounts

A new phishing campaign is targeting Windows users through a typosquatted domain, microsoft-update[.]support, designed to closely replicate the interface of Redmond's official support pages. The bait is a supposed cumulative update for Windows 11 version 24H2, distributed via an 83 MB Windows Installer (MSI) package named WindowsUpdate 1.0.0.msi. Despite its legitimate appearance and forged file properties (with the "Author" field set to Microsoft), the installer hides a complex infostealer capable of stealing passwords, payment data, and session tokens.

A revealing technical detail, often ignored by less experienced users, relates to the Knowledge Base identifier being used: the site promotes the download of KB5034765. In reality, this specific update package was released by Microsoft in February 2024 and was intended for versions 23H2 and 22H2 of Windows 11, not for 24H2. This discrepancy starkly highlights the fraudulent nature of the operation, which relies entirely on graphical similarity and the user’s urgency to secure their system. The malicious package was assembled using WiX Toolset 4.0.0.5512, explains Malwarebytes, a legitimate open-source framework for creating installers, a choice that allowed the malware to maintain a detection rate of zero across 69 antivirus engines during the initial phases of analysis on VirusTotal.

The threat operates on the domain microsoft-update.support: the malware architecture consists of multiple levels to evade behavioral monitoring systems. Once the MSI is executed, an Electron application is installed in the user's AppData directory. The main binary, WindowsUpdate.exe, is actually a renamed copy of the standard Electron shell (a stripped-down Chromium browser), which explains why many scanning engines consider it a clean file.

Execution does not occur directly but through a "living-off-the-land" technique: the file AppLauncher.vbs is launched through the system interpreter cscript.exe, which in turn starts the Electron app. However, the true payload is contained within a renamed Python 3.10 process called _winhost.exe. This component downloads and installs various specialized libraries at runtime: pycryptodome for encrypting stolen data, psutil for detecting sandboxes or debuggers, and pywin32 for deep interaction with Windows APIs.

Analysis of the JavaScript code reveals strong obfuscation using control flow flattening techniques. A specific portion of the malware is dedicated exclusively to Discord: by injecting code into the app (also based on Electron), the malware intercepts login tokens, payment details, and 2FA (two-factor authentication) changes in real-time while the user utilizes the platform.

To ensure survival upon system reboot, the malware implements two distinct mechanisms. The first exploits reg.exe to write a value named SecurityHealth in the CurrentVersion\Run registry key, simulating a legitimate Windows Defender service. The second drops a deceptive shortcut, Spotify.lnk, in the Startup folder, relying on the fact that an average user would not suspect the presence of a music player among startup processes.

Before sending data to the command and control servers, the malware profiles the victim by querying services like ip-api.com to geolocate the IP address. Exfiltration occurs through legitimate cloud infrastructures to blend in with network traffic: endpoints on Render and relays on Cloudflare Workers using subdomains like "system-telemetry," which can easily be mistaken for standard diagnostic traffic. Stolen files are ultimately uploaded to Gofile, an anonymous file-sharing service that leaves no traces of the operator. During its active phase, the malware can invoke the command taskkill.exe over two hundred times to terminate processes related to security tools and browsers, ensuring exclusive access to the credential databases.

Although the campaign may expand globally, the current focus is on French-speaking users. France has recently experienced a series of massive data breaches that have created fertile ground for social engineering. In particular, the operator Free has confirmed unauthorized access to the data of 19 million subscribers, while SFR and the public entity France Travail (with 43 million compromised records) suffered similar intrusions.

This massive amount of personal data already circulating in criminal markets makes localized phishing baits extremely credible. Attackers, already knowing the victim's ISP or address, can craft support pages that closely mirror what the user expects to receive from their service provider or from Microsoft. For those who suspect they have installed the fake update, it is essential to check for the presence of the SecurityHealth registry key and remove the WindowsUpdate folder in AppData. It is also necessary to reset all saved passwords in browsers, assuming they have been compromised.