A convincing fake
Windows 11 24H2 update is making the rounds, and the danger is not a broken patch or a botched reboot. It is a
malicious installer disguised as a Microsoft download page, built to steal passwords, browser sessions, payment data, and other sensitive information from unwary users. Malwarebytes says the campaign uses a typosquatted domain, polished branding, and a fake KB number to look legitimate at first glance, while quietly delivering infostealer malware instead.
Background
Windows users have always had a complicated relationship with updates. On one hand, updates are essential for security, compatibility, and reliability; on the other, they can occasionally break features, cause performance regressions, or introduce temporary headaches that keep IT departments busy. That tension is exactly why fake update scams are so effective: they exploit a user’s expectation that updates are routine, necessary, and safe.
The latest campaign is particularly persuasive because it borrows the visual language of Microsoft support and Windows servicing. According to Malwarebytes, the phishing site uses a French-language interface, a familiar layout, a prominent download button, and a KB-style identifier to imply that the page is part of the normal update process. The lure is built around
Windows 11 version 24H2, which is a current and recognizable release name, making the deception feel plausible to casual visitors.
Microsoft’s own documentation makes clear how Windows updates are supposed to arrive. The company directs users to use
Windows Update and the update history pages for their installed version, and it notes that the most recent update is the safe path for receiving prior fixes as well. That official model is very different from downloading a random standalone “update” from an unfamiliar site, which is precisely the gap attackers try to exploit.
The fake package also abuses trust in software engineering tools. Malwarebytes says the installer was built with
WiX Toolset, a legitimate open-source framework, which helps the file appear ordinary to defenders and users alike. The broader lesson is uncomfortable but simple: if malware is wrapped in reputable tooling, signed-looking metadata, and ordinary file formats, it can slip past the intuition that many people still use as their first line of defense.
Why this matters now
This is not just another generic phishing page. It is a reminder that modern malware campaigns increasingly imitate the
process of trust, not merely the brand. Attackers now copy update UX, use branded domain names, and stage payload delivery in layers that resemble normal software installation.
- The lure is built around a real Microsoft product name.
- The page borrows official-looking language and design cues.
- The installer uses legitimate packaging tools to blend in.
- The payload focuses on credential theft and session hijacking.
- The target audience appears to be primarily French-speaking Windows users.
What Malwarebytes Found
Malwarebytes identified the campaign at a domain designed to resemble Microsoft support:
microsoft-update[.]support. The site’s presentation is intentionally familiar, and it offers what appears to be a normal Windows 11 cumulative update, complete with a believable KB reference and a download button that invites immediate action. That kind of social engineering works because it reduces the user’s sense of friction right when caution is most needed.
The download is an
83 MB MSI package named “WindowsUpdate 1.0.0.msi.” Malwarebytes says the file properties are spoofed to look as if Microsoft authored it, including generic installation metadata that would not alarm a casual observer. The campaign also appears to have been created on April 4, 2026, just days before the blog post describing it, which suggests a fairly fresh and active operation.
The deception in the KB number
One of the most telling details is the fake KB reference. Malwarebytes says the site advertises
KB5034765 as if it were tied to Windows 11 24H2, but Microsoft’s own support page shows that KB5034765 was released on February 13, 2024 for
Windows 11 version 22H2 and 23H2, not 24H2. That mismatch is small enough to miss in a hurry, but large enough to reveal the fraud.
That is a classic scam technique: borrow a real identifier, then transplant it into a false context. Most users will not cross-check build numbers or release dates, especially when the page looks polished and the download appears to solve a problem they already expected to fix. The campaign succeeds by exploiting that exact moment of low skepticism.
- The domain is intentionally lookalike.
- The KB number is real but contextually wrong.
- The installer is large enough to seem credible.
- The file metadata is crafted to look official.
- The target language is French, which narrows suspicion.
How the file avoids instant suspicion
Malwarebytes reports that the executable itself was initially clean across dozens of security engines at the time of analysis. That is not the same as being safe; it means the malicious logic may be delayed, layered, or hidden behind a clean front-end installer. In practice, that gives the attacker a head start, especially against people who judge a file by first impressions or a quick antivirus scan.
The malware also uses trusted technologies like
Electron and scripting layers to make the execution chain less obvious. That approach creates a kind of camouflage through normality: each individual component can look routine, while the combined behavior is clearly malicious. It is a reminder that defenders increasingly have to analyze workflows, not just binaries.
The Delivery Chain
According to Malwarebytes, the installer drops a
Visual Basic script that launches the Electron-based application, which then spawns a disguised
Python process. That process installs multiple packages associated with data theft and system inspection, which is a strong sign that the campaign is meant to collect rather than merely disrupt. The execution path is intentionally indirect, because indirection can hide suspicious behavior from both users and some security tools.
This is a familiar pattern in modern infostealer campaigns. Rather than deliver a single obvious payload, attackers assemble a chain of legitimate-looking components that each do one small part of the job. The result is more modular, more portable, and often harder to classify quickly.
Why Electron and Python matter
Electron is everywhere because it simplifies cross-platform app development, but that popularity also gives attackers a ready-made trust wrapper. Python is similarly useful because it can be used for orchestration, automation, and credential harvesting with relatively little friction. Put together, they create an environment where malicious behavior can hide inside familiar tooling.
There is a strategic reason to prefer these layers. Security products often flag raw malware families faster than they flag a browser shell, a script, or a benign installer framework. That means the attacker gets to operate in the gray space between “clearly suspicious” and “obviously malicious,” which is exactly where many compromises begin.
- VBScript provides a simple first-stage launcher.
- Electron helps disguise malicious logic inside a familiar app shell.
- Python provides flexible data-gathering and automation.
- WiX Toolset makes the installer look routine.
- The multi-stage design slows straightforward detection.
A campaign built for patience
The structure also suggests that the attackers are not relying on one dramatic exploit. They are betting on user trust, installer legitimacy, and enough execution time to collect useful information before defenders notice. That is an especially dangerous combination because it rewards the attacker even when the infection is only partially successful.
What the Malware Steals
Malwarebytes says the malware can extract
browser-stored credentials,
Discord tokens, and payment-related information. That puts the campaign squarely in the infostealer category, where the immediate goal is to harvest data that can be monetized, resold, or reused for account takeover. The theft may start with one machine, but the downstream damage often reaches email, cloud services, gaming accounts, and financial platforms.
This kind of theft is especially dangerous because browser sessions and tokens often bypass the need for a password. If an attacker can steal a session cookie or token, they may be able to access accounts even when multi-factor authentication is enabled, depending on the service and how the session is managed. That is why infostealers are so valuable to criminal crews: they are small, quiet, and often devastatingly effective.
From passwords to payment data
The campaign is not content with a single credential dump. Malwarebytes says the payload also looks for payment-related information, which could include stored card data, autofill records, or other browser-cached artifacts. The more data it can gather, the more useful the infection becomes to the criminals behind it.
That broad collection strategy is what separates commodity malware from a truly profitable operation. A password alone may not yield much, but a password combined with a browser profile, Discord token, and financial artifacts can give attackers multiple ways to exploit the same victim. It is a volume game with a surprisingly high payout.
- Browser passwords are the obvious prize.
- Session tokens can be even more dangerous than passwords.
- Payment data expands monetization options.
- Gaming and chat accounts can be resold or abused.
- The stolen data can seed later phishing or fraud campaigns.
Why infostealers are so effective
Infostealers work because they target the weakest point in many modern systems: the human workflow around convenience. People save passwords, keep sessions open, and trust update prompts more than random files. That behavior is understandable, but it creates a sweet spot for attackers who want broad access with minimal technical complexity.
Persistence and Evasion
The campaign reportedly uses multiple persistence tricks, including a
registry entry disguised as a Windows security component and a startup shortcut masquerading as a Spotify launcher. That combination is clever because it blends into places where legitimate software often leaves traces. It also means the malware has a better chance of surviving reboots and staying active long enough to keep stealing data.
Persistence is where many infections either become nuisances or turn into sustained compromises. A one-time execution might be bad enough, but a foothold that survives reboot can keep harvesting credentials and re-establishing itself after a cleanup attempt. That makes the cleanup problem much harder for both home users and enterprise defenders.
The problem with legitimate-looking persistence
The use of a disguised Spotify
.lnk file is especially telling. Attackers know startup locations are common, so they attempt to hide in plain sight with filenames and icons that feel ordinary. If a user glances at the startup folder or registry and sees something that resembles a normal component, the malware gains time it should not have.
This is a recurring theme across recent malware campaigns: blend in, wait, then act. Rather than trying to look like a virus, the malware looks like a utility, a launcher, or an ordinary system entry. That subtlety matters because defenders are often overwhelmed by volume, and attackers are counting on exactly that overload.
- Registry-based persistence is harder to spot casually.
- Startup folders remain popular because they are trusted territory.
- False branding can delay manual inspection.
- Reboot survival increases the value of each infection.
- Persistence buys the attacker more collection time.
A lesson for defenders
The practical takeaway is that endpoint security cannot stop at the installer boundary. Security teams need visibility into process trees, scripts, child processes, and persistence artifacts, because the most dangerous part of the attack may not be the file the user first downloads. It is the chain that follows.
Why France Is the Focus
Malwarebytes says the campaign is primarily targeting users in France, and that detail matters because phishing works better when it is culturally and linguistically aligned. A French-language page instantly lowers the barrier for French-speaking victims while also making the lure feel local and relevant. That is a classic way to raise click-through rates without needing any technical exploit.
The research also connects this targeting to the broader French data breach landscape, noting that France has suffered a series of breaches that left personal data in circulation on criminal markets. Even without over-reading the motive, it is reasonable to infer that attackers prefer regions where stolen identity data, leaked credentials, and familiarity with local brands can improve their success rates.
Language as a weapon
Language choice is not cosmetic in phishing. It shapes trust, urgency, and the victim’s willingness to follow instructions without second-guessing the page. When the fraudster speaks the victim’s language, uses the right update terminology, and references plausible local expectations, the scam becomes far more convincing.
That is why region-specific targeting is so effective. It lets criminals avoid the awkwardness of a one-size-fits-all scam and instead deliver a more convincing experience to the people most likely to engage. In this case, the French-only presentation is part of the attack itself.
- French localization increases credibility.
- Localized scams reduce obvious red flags.
- Regional data breaches can increase victim susceptibility.
- Attackers can tune lures to local habits and terminology.
- Geographically focused phishing often yields better conversion.
The broader geopolitical flavor
There is a temptation to read every campaign through a geopolitical lens, especially when it aligns with recent public discussions about software sovereignty and platform independence. But the safer conclusion is narrower: cybercriminals will exploit any environment that offers a believable story and a pool of likely victims. The data, not the politics, is doing the heavy lifting here.
How This Differs From Legitimate Windows 11 24H2 Updates
Microsoft’s Windows 11 24H2 update history page makes clear that the real update process is centralized, documented, and version-specific. Genuine updates are published through Microsoft’s channels, and the company directs users to the Windows Update release flow or official support pages for information on their current version. That is very different from a standalone download hosted on a lookalike site.
The distinction matters because Windows update naming can be confusing even when everything is legitimate. Users see terms like KB numbers, cumulative updates, preview builds, OOBE updates, and release history pages, and that complexity creates room for fraud. Attackers do not need to understand the system better than Microsoft; they only need to imitate it well enough to fool the average user.
Version numbers are not decorations
The fake campaign’s misuse of KB5034765 underscores a useful rule: version numbers are clues, not ornamentation. If the page claims to deliver a 24H2 update but cites a package officially tied to 22H2 and 23H2, the mismatch should be treated as a major warning sign. Precision is often the easiest way to expose a forged update.
In legitimate servicing, the version trail is internally consistent. Microsoft’s support pages tie update numbers to release dates, OS builds, and applicability statements, which is exactly what malware pages often get wrong or selectively fake. In other words, the details that look boring are usually the most important ones.
- Official updates have clear applicability statements.
- KB numbers map to specific builds and dates.
- Microsoft support pages use consistent release metadata.
- Fake pages often reuse real identifiers out of context.
- Mismatched build numbers are a strong scam indicator.
Why the Windows Update channel is safer
The safest path remains the one Microsoft designed:
Settings > Windows Update. Microsoft explicitly describes that route as the place where users can check for updates, install them, and view update history. If the update is real, the system knows how to get it; if a website is asking you to install a “Windows update” manually, the burden of proof should be extraordinarily high.
The Bigger Security Pattern
This campaign is part of a broader trend in which attackers weaponize
normal user behavior rather than exploit obscure code flaws. Fake support pages, malicious ads, deceptive installers, and browser-based lures all succeed by presenting a familiar task in an unfamiliar context. The psychology is as important as the payload.
Malwarebytes has reported similar campaigns in which fake Windows update screens, fake utility pages, and fake branded software installers were used to distribute infostealers and loaders. The consistency across these campaigns suggests that the model works: if users believe they are doing maintenance, they are more likely to bypass caution.
Trust is now part of the attack surface
For years, security advice focused on suspicious attachments, strange links, and obvious scams. That is still necessary, but no longer sufficient. Today, the trusted channel itself can be spoofed convincingly enough that the user’s biggest vulnerability is the assumption that routine maintenance is inherently safe.
That changes how we should think about endpoint defense and user education. The key question is no longer merely “Does this look malicious?” but “Should this action be possible outside the official toolchain at all?” That is a more demanding standard, but the threat landscape now requires it.
- Fake update pages exploit user habits, not technical ignorance alone.
- Attackers increasingly mimic routine IT maintenance.
- Browser data remains a high-value target.
- Session tokens can be as valuable as passwords.
- Trustworthy tooling can be repurposed for malicious ends.
Strengths and Opportunities
The silver lining is that this campaign leaves behind several defensive opportunities. Because it leans on social engineering and delivery-chain abuse rather than a novel kernel exploit, it is more vulnerable to layered defenses, user training, and platform hardening than a true zero-day would be. The more consistent the attack pattern becomes, the easier it is to spot and block.
- Microsoft already provides a clearly defined update path through Windows Update.
- Mismatched KB references can be used as fast validation checks.
- Endpoint tools can inspect installer behavior, not just file hashes.
- Browser session protections can limit some post-theft abuse.
- Security teams can block typosquatted domains and lookalike infrastructure.
- User education can reduce one-click trust in manual “update” downloads.
- Telemetry from process chains can reveal hidden script and Python stages.
Risks and Concerns
The biggest danger is not merely that a few users will get tricked. It is that the stolen data can become a multiplier, feeding follow-on phishing, account takeover, payment fraud, and access brokerage long after the original infection. Once browser tokens and credentials are out in the wild, the attack can spread through a victim’s digital life in ways that are difficult to reverse.
- Browser-stored passwords can be reused across services.
- Session tokens may bypass MFA protections in some cases.
- Payment data can lead to direct financial fraud.
- Persistence can make cleanup incomplete.
- Localized phishing can scale quickly across a language community.
- Legitimate-looking installer frameworks reduce user suspicion.
- A clean file on first scan does not guarantee a safe outcome.
Looking Ahead
The near-term expectation is that campaigns like this will keep evolving rather than disappear. As users become more alert to fake download pages, attackers will continue polishing their lures, refining their geofencing, and blending more deeply into trusted software workflows. The line between “installer” and “payload” will only get thinner.
For enterprises, the lesson is to tighten controls around software provenance, browser session protection, and privilege management. For consumers, the simplest defense is still the strongest: if a website is asking you to manually download a “Windows update,” treat it as suspicious until verified through Microsoft’s own channels. That habit will not solve every problem, but it will stop a lot of them.
What to watch next
- More regional targeting beyond France.
- Additional typosquatted domains and mirrored support pages.
- Variants using different KB numbers or Windows versions.
- Greater abuse of Electron, Python, or other trusted tooling.
- Broader use of startup persistence and registry camouflage.
- New payloads aimed at browser cookies, wallets, and cloud sessions.
If there is one durable takeaway, it is that the most effective malware no longer looks like malware at first glance. It looks like maintenance, convenience, and a harmless click, which is why the safest instinct is to slow down whenever a download claims to be a Windows update outside the normal Microsoft channel. In the current threat landscape, that pause is not hesitation; it is defense.
Source: Neowin
Beware! This "Windows 11 24H2" update download can quietly steal your sensitive data