These fake Windows 11 upgrade installers will just infect you with malware

Windows 11
(Image credit: Shutterstock)

A fake Windows 11 installer has been discovered online, with experts warning any  gullible consumers who download it will end up with RedLine Stealer, a potent malware that can steal passwords, cryptocurrency wallet information, credit card data, browser info, and a lot, lot more.

Cybersecurity researchers from HP say whoever is behind this attack has put a lot of careful thought into it. For one, Windows 11 is the latest OS upgrade from Microsoft, one that heavily depends on the hardware specs of the device. As such, is not available to all Windows 10 users through the OS’ system upgrade feature.

The malicious actors have taken advantage of this fact, setting up new domains that impersonate Microsoft. In this particular case, researchers have spotted the windows-upgraded.com domain, which looks a lot like an official Microsoft page. While this one has already been taken down, numerous others are probably out there, waiting to be discovered.

Broad deployment phase

The researchers also note that the actors have also timed their campaign quite well - Microsoft has only recently announced it has entered the “broad deployment phase”, where Windows 11 is being offered to everyone with an eligible device via Windows Update.

Anyone who ends up downloading files from these fake websites, will get a 1.5MB-heavy ZIP archive named “Windows11InstallationAssistant.zip,” pulled from a Discord CDN. 

Instead of a Windows 11 upgrade, victims will instead download RedLine Stealer, malware that harvests browsers for saved passwords, autocomplete data, credit card information, and such. 

The malware also runs a system inventory, pulling in intel such as the username, location data, hardware configuration, and information on security software installed on the device. 

Newer versions are even able to steal cryptocurrency wallet information, as well as target FTP and IM clients. It can upload and download files, execute commands, and communicate with its C2 server.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.