Fake Windows 11 24H2 Update Poses as Legit Download to Steal Data

Security researchers at Malwarebytes have discovered a pretend Windows 11 24H2 update marketing campaign that steals delicate knowledge from Windows PC customers.

The attackers host a really convincing Microsoft-style help web page on a website referred to as “microsoft-update[.]support” and encourage guests to obtain what they declare is a cumulative replace for Windows 11 24H2. In actuality, the obtain is an MSI installer named (*11*) that makes use of official packaging instruments and spoofed Microsoft metadata to look genuine.

When folks run the installer, it units up an Electron-based app within the AppData folder and launches it through a script that makes use of Windows’ personal cscript.exe software. This chain then begins a renamed Python interpreter, masses a Python atmosphere, after which masses extra modules that the malware makes use of to steal knowledge.

Researchers say the malware grabs browser-stored passwords, cookies, account classes, and even Discord knowledge, then sends this info to attacker-controlled servers and file-sharing companies.

The pretend updater runs on each reboot. It creates a Run key referred to as “SecurityHealth” within the person’s registry that factors to the put in WindowsUpdate.exe. It additionally provides a shortcut named “Spotify.lnk” in Startup that quietly opens the malware. It’s been reported that early samples confirmed zero detections in widespread scanning companies.

Experts say customers ought to solely get Windows 11 24H2 updates from the Windows Update settings menu or official Microsoft domains. Anyone who put in this pretend replace ought to take away the listed recordsdata and registry entries, run a full malware scan, and alter passwords for accounts that browsers saved on the affected PC.