This Convincing Windows 11 Upgrade Website Contains Nasty Malware

This Convincing Windows 11 Upgrade Website Contains Nasty Malware
The fake website page looks identical to this official one. (Image: Microsoft)

What should be a simple process of updating your PC to Windows 11 is becoming a minefield planted with nasty malware.

Security researchers at CloudSEK informed Bleeping Computer of a fake Windows 11 upgrade website that injects malware onto a Windows PC to steal browsing data and cryptocurrency wallets.

The website, which remains active, looks identical to a Microsoft website, complete with the company’s official logos, banners, fonts, and graphics. But instead of assisting you in the upgrade process, this convincing recreation preys on unsuspecting Windows users who stumble across it in search engine results. When a user grabs the bait, usually by searching for ways to install the new OS on a platform that isn’t compatible with it thanks to new requirements like needing to have TPM on your machine, the dangerous website pushes out an ISO file containing malware.

The bad actors behind this threat campaign are using mysterious malware researchers are calling “Inno Stealer.” Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET.

Once the malware clears out any potential roadblocks, another downloaded file runs as a utility with the highest system privileges, while a fourth with an “.SCR” extension is dropped into C:UsersAppDataRoamingWindows11InstallationAssistant of a compromised Windows device.

Here is where the horror begins. That file unloads a payload by creating a new process called “Windows11InstallationAssistant.scr.” This executable is capable of collecting web browser cookies and stored usernames and passwords, data in cryptocurrency wallets, and data from filesystem. Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo are some of the browsers and wallets vulnerable to the attack.

This stolen data is then copied to a PowerShell command, encrypted, and eventually sent to the malware creator. Additional payloads that run overnight (when users aren’t active) as TXT files can obtain clipboard information and directory enumeration data.

The security researchers who unearthed this troubling threat say this included malware doesn’t contain code similar to others they’ve seen. However, luring users with Windows 11 upgrade promises is not a novel approach. Last year, right around the time Microsoft announced the widespread deployment of Windows 11, cybersecurity researchers at HP uncovered fake Windows 11 installers that could push malware onto systems and grab passwords, browser cookies, credit cards, and cryptocurrency wallet info.

To avoid these malicious ISO files, we strongly recommend only updating your system to Windows 11 by using proven channels, namely this link to Microsoft’s official Windows 11 update site and the “Windows Update” settings in your Control Panel.

That’s easier said than done. More than half of scanned PCs don’t meet the requirements for Windows 11, according to IT asset management platform provider Lansweeper (via Computerworld). As a result, users are searching for alternative options — the sort of search that could surface dangerous results. Our advice remains the same: if an upgrade is unavailable for your PC, fight the urge to sift through unofficial channels for a workaround — you could end up doing more harm than good.