Credential Sniffing Malware Disguised as Windows 11 Update Targets Users

Severity: High (Score: 70.5)

Sources: Extremetech, Mezha.Ua, hothardware.com, Techspot, Technobezz

Summary

A sophisticated phishing campaign is distributing malware disguised as a Windows 11 24H2 update through a fake support website. The site, using the domain 'microsoft-update.support', mimics official Microsoft branding and offers a download for a cumulative update. Users who download the 83MB MSI package, named 'WindowsUpdate 1.0.0.msi', unknowingly install malware that steals sensitive information, including passwords and payment details. The malware employs legitimate packaging tools and obfuscation techniques to evade detection by antivirus software, showing zero detections on VirusTotal during initial scans. Once installed, it modifies system settings to ensure persistence and exfiltrates data to external servers. Security experts recommend that users only download updates through official Microsoft channels. As of April 2026, Microsoft has not released the 24H2 update to general users, emphasizing the need for caution against unofficial sources. Key Points: • A fake Windows update site is distributing malware that steals user credentials. • The malware evades detection by using legitimate packaging tools and obfuscation techniques. • Users are advised to only download updates from official Microsoft channels.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• T1003 - OS Credential Dumping (mitre_attack)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1036 - Masquerading (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• Electron (platform)
• Windows (platform)
• Python (tool)
• WiX Toolset (tool)