These fake Windows 11 upgrade installers will just infect you with malware

Windows 11
(Image credit: Shutterstock)

A fake Windows 11 installer has been discovered online, with experts warning any  gullible consumers who download it will end up with RedLine Stealer, a potent malware that can steal passwords, cryptocurrency wallet information, credit card data, browser info, and a lot, lot more.

Cybersecurity researchers from HP say whoever is behind this attack has put a lot of careful thought into it. For one, Windows 11 is the latest OS upgrade from Microsoft, one that heavily depends on the hardware specs of the device. As such, is not available to all Windows 10 users through the OS’ system upgrade feature.

The malicious actors have taken advantage of this fact, setting up new domains that impersonate Microsoft. In this particular case, researchers have spotted the windows-upgraded.com domain, which looks a lot like an official Microsoft page. While this one has already been taken down, numerous others are probably out there, waiting to be discovered.

Broad deployment phase

The researchers also note that the actors have also timed their campaign quite well - Microsoft has only recently announced it has entered the “broad deployment phase”, where Windows 11 is being offered to everyone with an eligible device via Windows Update.

Anyone who ends up downloading files from these fake websites, will get a 1.5MB-heavy ZIP archive named “Windows11InstallationAssistant.zip,” pulled from a Discord CDN. 

Instead of a Windows 11 upgrade, victims will instead download RedLine Stealer, malware that harvests browsers for saved passwords, autocomplete data, credit card information, and such. 

The malware also runs a system inventory, pulling in intel such as the username, location data, hardware configuration, and information on security software installed on the device. 

Newer versions are even able to steal cryptocurrency wallet information, as well as target FTP and IM clients. It can upload and download files, execute commands, and communicate with its C2 server.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Fake Reddit sites found pushing Lumma Stealer malware
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
Phone scammer
Microsoft thinks it could stop this dangerous scam forever
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all