Since Windows 11 was first announced last June, there has been a lot of fraudulent campaign to get users to download fake, malicious Windows 11 installers. Although this fraud has been on hold for some time, it is now re-emerging and its lethality has escalated further.
This was because Windows 11 at the time was not open to the public, but only to Insider, who were generally more tech-savvy and more aware. Since then, however, Windows 11 has been open to the general public and plans have been put in place to accelerate its rollout, making the current situation more nuanced.
The new malware campaign was discovered by the HP threat research team because they noticed a new fake website that looked like Microsoft's website but was actually distributing files containing RedLine-stolen malware.
The name of this website is "windows-upgraded[.com]", as can be seen from the picture below, it may look like a real Microsoft website for those who are not paying attention, as the layout and appearance of the site does look a lot like the real thing.
When someone clicks on the "Download Now" button, the user downloads a 1.5MB zip package called "Windows 11InstationAssistant.zip" to be downloaded. However, HP was impressed that the 1.5MB file resulted in a 753MB folder with a compression rate of 99.8% after being unzipped.
After reversing the contents of the package, HP discovered that the Windows 11 installer had passed a payload of The RedLine stealer malware, which, as the name suggests, was capable of stealing sensitive information such as passwords and other credentials.
![Watching the Winter Olympics rekindled my passion for sports, and I was going to play badminton again! WatchingtheWinterOlympicshasrekin[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)