If you’ve ever tried checking for updates and just trusted what appeared, you’re definitely not alone. There’s a new scam that exploits this very behavior.
This fraudulent page closely mimics official branding, features a trusted knowledge base number, and prominently displays a familiar blue download button. But what happens once you click that button? Unfortunately, it installs malware meant to steal passwords, payment information, and account access.
Researchers from Malwarebytes Labs found that the site uses a domain name that closely resembles a legitimate Microsoft URL, which can easily trick users at a casual glance. And sometimes that’s all it takes.
Stealthy malware installation
Initially, the file seems perfectly normal, resembling a standard Windows installation file. Even more convincing, “Microsoft” appears in the properties. The attack is quite cunning—instead of evident malicious code, the attackers used legitimate tools to craft the installer, layering the attack in ways that make each part seem harmless.
This is how it plays out behind the scenes:
- The installer starts what looks like a regular application.
- This application quietly runs hidden scripts.
- An impersonated process loads a full Python environment.
- Data theft tools commence operating in the background.
Each step appears routine enough that many security tools fail to immediately flag it. Researchers noted that antivirus software often missed key parts of the attack, which doesn’t necessarily mean the file is safe. This covert malicious activity can hide quite well.
What malware collects
Once installed, the malware works quickly to gather details from infected devices, such as location and IP addresses. It then establishes a connection to a remote server for commands and uploads stolen data. It targets:
- Saved passwords from browsers.
- Login sessions and cookies.
- Payment information.
- Discord account tokens.
In some instances, the malware may attempt to disable other running processes to avoid detection, modifying apps like Discord to track activity in real-time.
Persistence of malware
This malware is designed to hang around. It blends in by creating entries that mimic standard system processes. One registry entry, for example, pretends to be Windows Security Health, which is often disregarded by users. Additionally, it places shortcuts for well-known services like Spotify in the startup folder, making it easy to overlook. Two different methods ensure its persistence across reboots.
The realism of the scam
There’s a larger context here. Research shows these scams often target areas with a history of data breaches where personal information is already compromised. If an attacker knows your name, provider, and habits, they can craft a scam that feels much more believable. This context enhances the credibility of a fake Windows update page compared to a typical phishing email.
Today’s malware often hides within legitimate tools, making it trickier to detect. The sophistication of these attacks reflects how scammers have evolved. They no longer rely on obvious fakes, but instead create intricate attacks that resemble trusted software.
Even seasoned users might be caught off guard when everything appears normal. So, here’s a key takeaway: just because scan results look clean and the interface is familiar doesn’t guarantee safety.
Microsoft’s response
Microsoft is aware of this type of threat and advises users to be cautious when downloading updates from unknown sources. A Microsoft spokesperson noted, “We are aware of reports of fraudulent websites impersonating Microsoft and are actively working to detect and stop malicious activity online.” They recommend verifying the legitimacy of links by directly visiting Microsoft’s website through saved favorites or by entering the domain name manually.
Protecting yourself from fake update malware
Staying safe doesn’t require you to be a tech guru. Here are some straightforward habits to adopt:
1) Update Windows only from Settings
Go to Settings > Windows Update to check for updates there. Avoid downloading updates from any website.
2) Check the URL
The genuine Microsoft page will be Microsoft.com. Any variations, even slight ones, should raise a red flag.
3) Be cautious of urgent prompts
If any site or message urges you to install an update, pause and check it manually.
4) Use effective antivirus software with behavioral detection
Traditional antivirus tools usually rely on signature matching, which might not catch new or cleverly hidden attacks like this one. Look for software with behavioral detection to flag suspicious activity.
5) Utilize data deletion services
Reduce your exposure by limiting the amount of personal information available online. This makes scams based on your data less convincing.
6) Enable two-factor authentication
Two-factor authentication adds another layer of safety in case your password is compromised.
7) Avoid downloading installers from unknown sites
Legitimate updates typically don’t require manual downloads.
Final thoughts
Fake updates are particularly effective because they exploit a trust we all have in software updates. Ensuring your system is secure doesn’t have to be a risky endeavor, but that’s precisely what attackers are capitalizing on. The best strategy is to slow down, verify update sources, and use built-in tools whenever feasible.
Are technology companies doing enough to guard against these phishing attacks? Let us know your thoughts in the comments or by email.
