Fake Windows 11 support site distributes malicious “update” designed to steal data

The cybersecurity company Malwarebytes has issued a warning about a fraudulent Windows support website that offers users a “cumulative update” download for Windows 11 24H2. Both the webpage and the file appear highly convincing and do not raise immediate suspicion. Clicking the “Download update” button triggers the download of an 83 MB package designed to steal passwords, payment details, and user account credentials.

Mechanism of deception and file structure

The malicious package was built using WiX Toolset version 4.0.0.5512 — a legitimate open-source installer creation tool. The file, named WindowsUpdate 1.0.0.msi, contains falsified metadata: the “Author” field lists Microsoft, while the title is set to Installation Database. File comments claim it contains “logic and data required to install WindowsUpdate,” which can mislead inexperienced users.

Antivirus evasion techniques and hidden logic

Researchers at Malwarebytes highlight the exceptional stealth of this malware. At the time of analysis, VirusTotal reported 0 detections out of 69 antivirus engines for the main executable file and 0 out of 62 for the VBS loader. The malware’s effectiveness lies in its architecture: the Electron shell, used by millions of applications, conceals malicious logic within obfuscated JavaScript code that antivirus solutions do not thoroughly inspect. Additionally, a Python-based payload is employed, executed under a spoofed process name and dynamically loading components from legitimate sources during runtime. Only full-chain behavioral analysis allows the detection of data exfiltration.

Attackers are using the domain microsoft-update.support, whereas the official support website is located at support.microsoft.com. Malwarebytes has already added this threat to its detection database for automatic identification.