Fake website promises Windows 11 upgrade and installs malware

Deepak Gupta February 10, 2022
Updated 2022/02/10 at 11:23 AM

Security researchers at HP have warned of a fake website that promises a Windows 11 upgrade for Windows 10 users that is actually the malware known as RedLine. This malware is used by criminals to steal login credentials and other information.

Since its launch last October, Windows 11 has been available officially through Windows Update and the website microsoft.com/software-download/windows11 as a free upgrade for users with supported PCs. Now criminals are taking advantage of the free upgrade offer to use it as bait to infect PCs with RedLine malware.

For this the criminals created a Fake website with domain “windows-upgraded.com”. When accessing the fake website, users will see a page that is very reminiscent of the official Microsoft website with the “DOWNLOAD NOW” that supposedly offers the Windows 11 Setup Assistant. If the user clicks the button, a file named “Windows11InstallationAssistant.zip” and 1.5MB in size will be downloaded to your computer.

Fake website promises Windows 11 upgrade and installs malware
Fake website discovered by HP security researchers that is
used by criminals to infect PCs with RedLine malware

The unzipped file will result in a folder of about 735MB. If the user opens the executable file inside this folder, a PowerShell process will start, followed by a cmd.exe command-line tool process. This second process will be terminated after 21 seconds and shortly afterwards a file with a .jpg extension will be downloaded to the user’s computer.

This .jpg file contains a DLL file modified to make it difficult for security software to detect it. Once loaded, the DLL file, which is actually the RedLine malware, connects to a command and control server to receive further instructions from the criminals responsible for the attack.

Fake website promises Windows 11 upgrade and installs malware
Reproduction / HP

The recommendation for users not to fall for this type of scam is that they upgrade directly through Windows Update or directly access the Microsoft website. Avoid clicking on links offered through services such as Discord and others similar. The technical analysis by HP security researchers can be seen in full here.


Are you thinking about buying a product online? Discover the Save the Connected World extension for Google Chrome. It is free and offers you price comparisons at major stores and coupons so you can always buy at the best price. Download now.

Via: Neowin.net, BleepingComputer Source: HP

Share this Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Thumbnails managed by ThumbPress