This fake Windows support website delivers password-stealing malware

A fake Microsoft support website is tricking folks into downloading what seems to be like a traditional Windows replace. Instead, it installs malware designed to steal passwords, fee particulars, and account entry. Because the file seems to be reputable and avoids detection, it will possibly slip previous each customers and safety instruments.

A really convincing Windows replace

We noticed the marketing campaign at microsoft-update[.]supporta typosquatted area dressed as much as appear like an official Microsoft support web page. The web site is written totally in French (however these campaigns are inclined to unfold shortly) and presents a fake cumulative replace for Windows model 24H2, full with a believable KB article quantity. A big blue obtain button invitations customers to put in the replace.

What will get downloaded is WindowsUpdate 1.0.0.msi, an 83 MB Windows Installer bundle. At first look, every little thing seems to be reputable. Its file properties are fastidiously spoofed: the Author discipline reads “Microsoft,” the title reads “Installation Database,” and the Comments discipline claims it incorporates “the logic and data required to install WindowsUpdate.”

The bundle was constructed with WiX Toolset 4.0.0.5512, a reputable open-source installer framework, and was created on April 4, 2026.

Why this marketing campaign is concentrating on France

The alternative to focus on French-speaking customers is just not random. France has suffered a historic cascade of knowledge breaches over the previous two years, leaving a staggering quantity of non-public info circulating on prison marketplaces. The breaches present the uncooked information, and campaigns like this one flip that into extremely plausible scams.

In October 2024, Free, France’s second-largest web service supplier, confirmed that an attacker had accessed personal data for roughly 19 million subscriber contracts, together with checking account particulars. Just weeks earlier, Société Française du Radiotéléphone (SFR) disclosed its own breach exposing buyer names, addresses, cellphone numbers, and banking particulars.

Earlier in 2024, France Travail, the nationwide public employment service, suffered an intrusion that compromised the data of 43 million peopleoverlaying present and previous jobseekers spanning 20 years. Researchers additionally discovered an unprotected Elasticsearch server aggregating 90 million data from no less than 17 separate French breaches right into a single database.

This torrent of leaked information has made France a lovely goal for credential theft. KELA’s 2025 infostealer research recognized France among the many prime nations for victims, alongside Brazil, India, the US, Spain, the United Kingdom, and Indonesia.

When attackers have already got a sufferer’s title, tackle, and ISP from a earlier leak, a French-language “Windows update” web page turns into a much more convincing lure than a generic English one.

Electron on the surface, Python on the within

When the MSI executes, it installs an Electron software (primarily a stripped-down Chromium browser bundled with customized JavaScript) to C:UsersAppDataLocalProgramsWindowsUpdate.

The predominant binary, WindowsUpdate.exeis a renamed copy of the usual Electron shell—VirusTotal’s metadata identifies it as electron.exe. Across 69 antivirus engines, it drew zero detections as a result of the executable itself is clear. This suggests the malicious logic lives contained in the Electron app’s bundled JavaScript (usually packaged as app.asar).

Alongside the Electron shell sits AppLauncher.vbsa Visual Basic Script that acts because the preliminary launcher. The system’s built-in cscript.exe interpreter runs the VBS, which then begins the Electron app—a basic living-off-the-land approach that avoids launching the payload instantly and retains the execution chain trying routine in course of logs.

But the Electron wrapper is simply the outer layer. Once working, WindowsUpdate.exe spawn _winhost.exea renamed Python 3.10 interpreter disguised to resemble a reputable Windows course of. This course of unpacks a full Python runtime into
C:UsersAppDataLocalTempWinGettoolstogether with python.exe and supporting libraries.

It then installs a set of Python packages generally seen in information theft instruments:

• pycryptodome, used to encrypt stolen information
• psutil, used to examine working processes and detect sandbox environments
• pywin32, which allows deep entry to the Windows API
• PythonForWindows, used to work together with system internals resembling processes and privileges

Analysis of the Electron app’s JavaScript confirms this. Two closely obfuscated recordsdata, processed utilizing methods like control-flow flattening and opaque predicates, include the core performance.

The bigger file (~7 MB) is the primary stealer payload, with references to pbkdf2, sha256, and AES decryption routines, in addition to a marketing campaign expiration test. The smaller file (~1 MB) targets Discord: as a result of Discord runs on Electron, the script modifies its code to intercept login tokens, fee particulars, and two-factor authentication modifications when the app is opened.

Both recordsdata returned zero detections throughout main antivirus engines—the results of malware that hides inside reputable software program and closely obfuscated code.

Two methods it survives a reboot

The malware units up two impartial persistence mechanisms.

First, reg.exe writes a worth known as SecurityHealth beneath the consumer’s CurrentVersionRun registry key, pointing to WindowsUpdate.exe. The worth title impersonates Windows Security Health, the service chargeable for Defender notifications. It’s one thing most customers and even IT employees would scroll previous with out suspicion.

Second, cscript.exe drops a shortcut file named Spotify.lnk into the consumer’s Startup folder. Anyone who notices it might possible assume Spotify had configured itself to launch at login.

Two persistence mechanisms, two totally different disguises, every designed to appear like one thing the consumer would anticipate to see.

Fingerprinting the sufferer, phoning dwelling, importing the haul

Within seconds of launching, WindowsUpdate.exe reaches out to www.myexternalip.com and ip-api.com to find the sufferer’s public IP tackle and geolocation. This type of reconnaissance is a near-universal trait of infostealers, telling the operator the place the sufferer is and will decide what information will get collected.

The malware then contacts its command-and-control (C2) infrastructure. It reaches datawebsync-lvmv.onrender[.]comto C2 endpoint hosted on Render, and sync-service.system-telemetry.staff[.]deva relay working on Cloudflare Workers. That second area is especially artful: “system-telemetry” is strictly the type of subdomain a community analyst may dismiss as reputable monitoring visitors throughout a fast log evaluate.

For exfiltration, the malware turns to store8.gofile[.]ioa file-sharing service that enables nameless uploads. Gofile has develop into a favourite amongst commodity stealers as a result of it’s free, ephemeral, and produces no paper path for the operator.

Hundreds of processes killed earlier than breakfast

Sandbox telemetry captured greater than 2 hundred separate invocations of taskkill.exeevery launched as a person course of. While the particular goal processes weren’t recorded within the condensed telemetry, the sheer quantity and sample is per infostealers that systematically terminate safety instruments, browser processes (to unlock credential databases), and competing malware earlier than starting their assortment routine. Kill every little thing that may intervene, then get to work.

Why the automated defenses gave it a move

At the time of research, VirusTotal confirmed zero detections throughout 69 engines for the primary executable and 62 for the VBS launcher. No YARA guidelines matched, and behavioral scoring categorised the exercise as low threat.

This is just not a failure of any single instrument. It’s the supposed results of the malware’s structure.

The Electron shell is a reputable binary utilized by thousands and thousands of functions. The malicious logic is hidden inside obfuscated JavaScript, which conventional antivirus instruments do not deeply examine. The Python payload runs beneath a deceptive course of title and pulls in elements at runtime from what seem like regular sources.

Individually, every bit seems to be innocent. It’s solely if you comply with the complete chain—VBS launcher to Electron app to renamed Python course of to information assortment and exfiltration—that the exercise turns into clearly malicious.

Since our evaluation, we have added detections to guard customers from this risk.

What this implies and what to do subsequent

The mixture of a localized phishing lure, a legitimately constructed MSI installer, an Electron wrapper, and a runtime-deployed Python payload exhibits how commodity stealers are evolving. Each layer serves a goal: the MSI supplies a well-recognized set up expertise, the Electron shell helps the file seem clear, and the Python runtime provides versatile entry to the working system. The total chain is constructed from off-the-shelf, reputable elements.

The concentrating on of French customers follows a transparent sample. When tens of thousands and thousands of non-public data are already circulating, the price of making a convincing localized lure drops considerably. An attacker who already is aware of which supplier a sufferer makes use of can tailor a phishing web page to match what they anticipate to see, whether or not that is from their ISP or, on this case, Microsoft.

The most vital takeaway is {that a} zero-detection VirusTotal end result doesn’t imply a file is secure. It typically means the malicious logic is hidden, eg inside obfuscated scripts or delivered at runtime, leaving little for conventional detection strategies to flag.

If you suppose you could have put in this replace, this is what to do:

• Check your registry key. To do that, press Windows + Rkind regeditand press Enter. Go to HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun. Look for an entry named SecurityHealth pointing to WindowsUpdate.exe in your AppData folder, and delete it.
• Look for a Spotify.lnk file in your Startup folder that you just did not create, and take away it Delete the folder C:UsersAppDataLocalProgramsWindowsUpdate
• Clear the non permanent recordsdata in C:UsersAppDataLocalTempWinGettools
• Change all passwords saved in your browser—assume saved credentials, cookies, and session tokens could have been compromised
• Enable two-factor authentication, prioritizing electronic mail and monetary accounts
• Run a full system scan with an up-to-date antimalware tool (ideally one with behavioral detection)

How to replace Windows safely

The most secure approach to replace Windows is thru the built-in replace function. open begingo to Settings > Windows Updateand click on “Check for updates.” This ought to at all times be your first port of name.

Microsoft does provide standalone replace packages by means of the Microsoft Update Catalog (catalog.replace.microsoft.com), however that is the one reputable supply for handbook downloads. Any different website providing a Windows replace as a file must be handled as suspicious.

Be cautious of pages that mimic Microsoft Support or Windows Update. These can look convincing, however the URL is what issues. Legitimate Microsoft pages are solely served from domains ending in microsoft.com. A site like microsoft-update[.]support could look believable, however it isn’t linked to Microsoft.

If you obtain an electronic mail, textual content, or notification urging you to put in an pressing replace, do not click on the hyperlink. Instead, open Settings > Windows Update and test instantly.

Finally, think about enabling automated updates. This removes the necessity to obtain updates manually and reduces the possibility of being tricked into putting in a fake one.

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

• 13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60 (WindowsUpdate.exe)
• c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650 (AppLauncher.vbs)

Domains

• microsoft-update[.]support (phishing lure)
• datawebsync-lvmv[.]onrender[.]com (C2)
• sync-service[.]system-telemetry[.]staff[.]dev (C2 relay)
• store8[.]gofile[.]io (exfiltration)
• www[.]myexternalip[.]com (IP reconnaissance)
• ip-api[.]com (geolocation)

File System Artifacts

• C:UsersAppDataLocalProgramsWindowsUpdateWindowsUpdate.exe
• C:UsersAppDataLocalProgramsWindowsUpdateAppLauncher.vbs
• C:UsersAppDataRoamingMicrosoftWindowsBegin MenuProgramsStartupSpotify.lnk