Fake Microsoft website dropped Redline malware as Windows 11 upgrade

Fake Windows website dropped Redline malware as Windows 11 upgrade

The domain name used by threat actors in this campaign was convincing enough to trick users into downloading fake Windows installer that would lead to malware infection.

A fake Microsoft website claiming to offer the official version of the newly released Windows 11 operating system was caught delivering malware, according to researchers.

HP’s Threat Research team has disclosed a new scam in which attackers copied the design of the authentic Windows 11 website to distribute RedLine Stealer. The fake website was identified on 27 January 2022, just a day after Windows 11’s final phase upgrade was announced.

According to HP’s research department, the fake website is incredibly convincing. As per their research, a threat actor registered windows-upgradedcom domain and used it to spread malware by luring visitors into downloading/installing a fake installer.

Homepage of the fake Windows 11 upgrade site (Image: HP)

Although the website offered Windows 11 upgrades from Microsoft the difference between the legitimate and scam versions is that in the rogue site, when a user clicks on the Download Now button, instead of downloading the authentic software, it downloads a dubious 1.5MB ZIP archive titled Windows11InstallationAssistant.zip.

The HP security team decompressed the archive and discovered a 753 MB folder containing the executable Windows11InstallationAssistant.exe sized 751 MB. In a blog post, Patrick Schläpfer of HP explained,

“Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible.”

The archive was hosted on the content delivery network of Discord. This domain caught the team’s attention since it was freshly registered and copied a trusted brand’s name.

More malware news on Hackread.com

  1. New version of Jupyter infostealer delivered through MSI installer
  2. New Trickbot attack setup fake 1Password installer to extract data
  3. Fake Windows 11 installers infecting devices with adware, malware
  4. Fake KPSPico Windows activator tool KPSPico steals crypto wallet data
  5. 9-year-old Windows flaw abused to drop ZLoader malware in 111 countries

RedLine stealer distributed via fake website

Further probe revealed that the malicious actor used the domain to distribute RedLine information-stealing malware, which is quite popular among users of underground hacking forums.

The ZIP file downloads a DLL that has been disguised as a JPEG file, and the result is the installation of the RedLine Stealer malware suite that can quickly swipe usernames, passwords, cryptocurrency data, credit card numbers, and similar sensitive information.

At the time of writing, the fake website was offline.


If you are a Windows user planning to upgrade to Windows 11 there is a lesson to learn that this campaign highlights how attackers can be quick to take advantage of important, relevant, and interesting current events to create effective lures.

Moreover, prominent announcements and events are always interesting topics for threat actors, which can be exploited to spread malware. Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources.

Nevertheless, refrain from downloading applications and software from third-party websites. In case you have downloaded something from a third-party store make sure to upload it on VirusTotal for a quick yet in-depth scan from 73 anti-malware solutions.

Related Posts