Attackers use fake Windows 11 Upgrade to Spread Malware

Fake Malware on Windows 11
Home » Blog » Attackers use fake Windows 11 Upgrade to Spread Malware

Researchers at HP released a new article today warning of a new scam that attackers are using to spread the RedLine family of malware. This scam tricks users into downloading a fake Windows 11 upgrade package that then secretly installs the malware onto the user’s computer. This is similar to a previous campaign that impersonated a Discord download page to spread the same RedLine malware back in December 2021.

Last week, Microsoft announced that they were entering their final phase of free upgrades to Windows 11 from Windows 10 devices, which created a perfect opportunity for attackers to launch a new campaign to spread malware disguised as a Windows 11 upgrade module. People would be eager to get the update before the free offer expired. The attackers created a fake Windows 11 upgrade page that looks very similar to something that would be legitimately produced by Microsoft.

Using the domain windows-upgraded[.]com, the site includes a link to download a ‘Windows 11 upgrade assistant.’ The file downloaded is called Once extracted and executed, it installs RedLine Stealer malware using DLL files and various other means. The RedLine Stealer then gathers information from your computer, including stored passwords in web browsers, cryptocurrency wallet information, installed software, and more. It sends this information through a connection to the IP address 45[.]146[.]166[.]38 on port 2715.

This is a very sophisticated attack, perfectly timed with the Microsoft announcement to ensure it is even more effective at spreading the malware. While it can be challenging to recognize fake pages like the one shown above, here are a few tips to keep you safe from spoofing attacks like this.

Tip #1: Always go directly to the source

When downloading a piece of software or upgrading a device, be sure to always go directly to the company rather than a third-party site to ensure that you get a legitimate version of the software rather than one that may have malware installed. While there are many reputable third-party sites, getting the software directly from the source should be your first choice. This also means using update features in applications rather than manually downloading updates.

If you Google or Bing a piece of software or upgrade, be sure to verify what link you are clicking on before you download anything from the website. Search engines like Google often put advertising as the first few results on a search. This can be manipulated to allow an attacker to have their bad website show up as the top result. For example, when Googling ‘Windows 11 Upgrade’, an attacker could get their website as the first ad results with the tag line ‘Windows 11 Upgrade Here!’

Before you click a link in Google or download anything from a website, verify that it is legitimate. Look at the domain and determine if that is normal for the company. For example, windows-upgraded[.]com is not a typical Microsoft URL that usually contains Microsoft[.]com. This also ties back into Tip 1, making sure to go directly to the source.

Tip #3: Verify the files you download through hashing

Many companies provide a hash for their files to verify that they have not been modified. A hash is a calculated value that is always the same as long as the file does not change. For example, if I have a file title sparkle-kittens.jpg, the hash might come out as 123abc. If that file is modified in any way, the hash changes. This allows the user to know whether the file is legitimate or not. If a company says their file should be 123abc and you create a hash for it that is 456def, you know that your file is not the legitimate file put out by the company. You can calculate file hashes using built-in tools on Windows or Apple devices.

Tip #4: Reach out to experts for help

You don’t have to go it alone. When all else fails, you can reach out to an IT expert to help you find the right software to download. Verifying software or download sites is very simple and quick with the right expertise. Your IT provider should help answer any questions about getting the software to make sure it is legitimate.

These tips should help you get the right software without worrying about downloading any malware. With the right tools and guidance in IT, you’ll be confident in your security. Not sure if your security is where it needs to be or have more questions on how you and your company can stay safe? Reach out to the security experts at Edafio for a quick consultation on how we can keep your organization from these types of attacks and more.

Scroll to Top