New Threat: Malware Poses as Windows 11 Update to Steal Your Data

A new cyberattack campaign is endangering Windows 11 users. Sophisticated malware disguises itself as an official operating system update. Malwarebytes researchers detected this active threat. Its primary goal is to steal passwords, banking data, and access credentials. Staying vigilant against this new deception method is crucial.

The deception begins on a fraudulent website. It closely mimics Microsoft's support portal. This site offers a fake update for Windows 11 version “24H2”. The page promotes a supposed “cumulative update” with a technical article number. It includes a convincing description of performance improvements and security patches. A large blue button invites users to download the “WindowsUpdate 1.0.0.msi” file.

The installer is 83 MB and was created using WiX Toolset. This is a legitimate tool for packaging Windows programs. Its properties were altered to appear authentic. The file lists Microsoft as the developer. It contains descriptions similar to an official installer. This reduces suspicion for many users.

Once executed, the malware begins collecting information from the infected computer. First, it obtains the device's public IP address. It also records its approximate location. Then, it installs several hidden components. These components allow access to data saved in the browser.

The malicious program steals passwords, session cookies, and payment methods. It even extracts information from Discord accounts. Researchers explain its operation. It uses Python packages and hidden code within JavaScript files. These functions encrypt the stolen information. They then send it to a server controlled by the attackers.

The malware can modify installed applications. For example, it alters Discord to intercept access tokens. It also captures password changes and two-factor authentication data.

One of the most concerning aspects is its evasion capability. The threat managed to go undetected by security tools.

According to Malwarebytes, none of the 69 antivirus engines analyzed detected the file as dangerous.

This happens because the executable appears legitimate. The malicious behavior hides within highly obfuscated JavaScript code. Many antivirus programs do not thoroughly check this layer.

To remain active even after restarting the computer, the malware employs two persistence mechanisms.

• It modifies the Windows registry. It creates an entry named “SecurityHealth”. This name mimics Windows' security notification system.
• It adds a shortcut called “Spotify.lnk” to the startup folder. This ensures the malicious program runs every time the computer starts.

Staying informed and using updated security software is essential. Always download updates from official sources!