Attention! This Fake Windows 11 Update Download Site Spreads Password-Stealing Malware

Every now and then Windows 11 users come across different issues triggered by official updates, or at least what looks like one. Although most users are cautious about online scams and fraudulent sites, Malwarebytes is now warning about a fake Windows support website, which is reportedly spreading malware disguised as a routine system update (via Neowin).

Fake Windows update website spreads infostealer malware

Per the cybersecurity company, security researchers have flagged a campaign using a typosquatted domain that closely mimics an official Microsoft support page. The site reportedly presents a fake cumulative Windows 11 version 24H2 update, complete with a believable KB-style reference and a large download button that encourages users to install it. Here’s what the site and domain look like:

Once downloaded, the file appears as a standard Windows update package, but it actually installs malware designed to steal passwords, payment details, and account access. What makes it more dangerous is how legitimate it looks on the surface, with Microsoft-like branding and file properties that can easily mislead users.

The report further details that the installer is built using an authentic packaging tool, which helps it avoid immediate detection by security software. That gives scammers an advantage in slipping past both automated scanners and unsuspecting users. Interestingly, the attack chain doesn’t stop there.

Once executed, it reportedly deploys an Electron-based application along with scripts that launch additional payloads in the background. These components are designed to blend into normal system processes, which eventually makes the infection harder to notice in real time.

Hidden persistence and data theft tactics raise concerns

What stands out is how the malware maintains persistence. It reportedly modifies startup entries and places disguised shortcuts in system folders, ensuring it runs again after reboot. In parallel, it also connects to external servers to gather system details and send stolen data. The campaign appears highly targeted, with researchers noting a focus on French-speaking users. This is likely related to previous large-scale data leaks, which give attackers enough personal information to craft convincing lures.

The fact that early analysis reportedly showed zero detections across multiple antivirus engines is concerning, largely because the malicious logic is hidden inside obfuscated scripts and legitimate software layers.

All that said, we always recommend uses to use the official Windows Update settings or legitimate Microsoft domains like Microsoft Update Catalog to download and install updates. Never download any updates or apps from unfamiliar or suspicious sites. This little move of yours can save you from being scammed online or getting hacked.