Safety researchers at Malwarebytes have discovered a pretend Home windows 11 24H2 replace marketing campaign that steals delicate knowledge from Home windows PC customers.
The attackers host an overly convincing Microsoft‑taste toughen web page on a site referred to as “microsoft-update[.]toughen” and inspire guests to obtain what they declare is a cumulative replace for Home windows 11 24H2. In fact, the obtain is an MSI installer named “WindowsUpdate 1.0.0.msi” that makes use of professional packaging gear and spoofed Microsoft metadata to appear original.
When folks run the installer, it units up an Electron‑primarily based app within the AppData folder and launches it by the use of a script that makes use of Home windows’ personal cscript.exe software. This chain then begins a renamed Python interpreter, so much a Python setting, after which so much further modules that the malware makes use of to thieve knowledge.
Researchers say the malware grabs browser‑saved passwords, cookies, account classes, or even Discord knowledge, then sends this knowledge to attacker‑managed servers and record‑sharing products and services.
The pretend updater runs on each and every reboot. It creates a Run key referred to as “SecurityHealth” within the consumer’s registry that issues to the put in WindowsUpdate.exe. It additionally provides a shortcut named “Spotify.lnk” in Startup that quietly opens the malware. It is been reported that early samples confirmed 0 detections in commonplace scanning products and services.
Mavens say customers will have to handiest get Home windows 11 24H2 updates from the Home windows Replace settings menu or authentic Microsoft domain names. Any person who put in this pretend replace will have to take away the indexed information and registry entries, run a complete malware scan, and alter passwords for accounts that browsers saved at the affected PC.