{“lastseen”:”2026-04-09T10:29:54″,”description”:”A fake Microsoft support website is tricking people into downloading what looks like a normal Windows update. Instead, it installs malware designed to steal passwords, payment details, and account access. Because the file looks legitimate and avoids detection, it can slip past both users and security tools.\\n\\n## **A very convincing Windows update**\\n\\nWe spotted the campaign at `microsoft-update[.]support`, a typosquatted domain dressed up to look like an official Microsoft support page. The site is written entirely in French (but these campaigns tend to spread quickly) and presents a fake cumulative update for Windows version 24H2, complete with a plausible KB article number. A large blue download button invites users to install the update. \\n\\nFake Windows update site. Look at that convincing URL!\\n\\nWhat gets downloaded is `WindowsUpdate 1.0.0.msi,` an 83 MB Windows Installer package. At first glance, everything looks legitimate. Its file properties are carefully spoofed: the Author field reads \u201cMicrosoft,\u201d the title reads \u201cInstallation Database,\u201d and the Comments field claims it contains \u201cthe logic and data required to install WindowsUpdate.\u201d \\n\\nThe package was built with WiX Toolset 4.0.0.5512, a legitimate open-source installer framework, and was created on April 4, 2026.\\n\\n\\n\\n## **Why this campaign is targeting France**\\n\\nThe choice to target French-speaking users is not random. France has suffered a historic cascade of data breaches over the past two years, leaving a staggering volume of personal information circulating on criminal marketplaces. The breaches provide the raw data, and campaigns like this one turn that into highly believable scams.\\n\\nIn October 2024, Free, France\u2019s second-largest internet service provider, confirmed that an attacker had accessed personal data for roughly 19 million subscriber contracts, including bank account details. Just weeks earlier, Soci\u00e9t\u00e9 Fran\u00e7aise du Radiot\u00e9l\u00e9phone (SFR) disclosed its own breach exposing customer names, addresses, phone numbers, and banking details.\\n\\nEarlier in 2024, France Travail, the national public employment service, suffered an intrusion that compromised the records of 43 million people, covering current and past jobseekers spanning two decades. Researchers also discovered an unprotected Elasticsearch server aggregating 90 million records from at least 17 separate French breaches into a single database.\\n\\nThis torrent of leaked data has made France an attractive target for credential theft. KELA’s 2025 infostealer research identified France among the top countries for victims, alongside Brazil, India, the US, Spain, the United Kingdom, and Indonesia. \\n\\nWhen attackers already have a victim\u2019s name, address, and ISP from a previous leak, a French-language \u201cWindows update\u201d page becomes a far more convincing lure than a generic English one.\\n\\n## **Electron on the outside, Python on the inside**\\n\\nWhen the MSI executes, it installs an Electron application (essentially a stripped-down Chromium browser bundled with custom JavaScript) to `C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Programs\\\\WindowsUpdate\\\\`. \\n\\nThe main binary, `WindowsUpdate.exe`, is a renamed copy of the standard Electron shell\u2014VirusTotal\u2019s metadata identifies it as `electron.exe.` Across 69 antivirus engines, it drew zero detections because the executable itself is clean. This suggests the malicious logic lives inside the Electron app\u2019s bundled JavaScript (typically packaged as `app.asar`).\\n\\nAlongside the Electron shell sits `AppLauncher.vbs`, a Visual Basic Script that acts as the initial launcher. The system\u2019s built-in `cscript.exe` interpreter runs the VBS, which then starts the Electron app\u2014a classic living-off-the-land technique that avoids launching the payload directly and keeps the execution chain looking routine in process logs.\\n\\nBut the Electron wrapper is only the outer layer. Once running, `WindowsUpdate.exe` spawns `_winhost.exe`, a renamed Python 3.10 interpreter disguised to resemble a legitimate Windows process. This process unpacks a full Python runtime into \\n`C:\\\\Users\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\tools`, including `python.exe` and supporting libraries.\\n\\nIt then installs a set of Python packages commonly seen in data theft tools:\\n\\n * pycryptodome, used to encrypt stolen data\\n * psutil, used to inspect running processes and detect sandbox environments\\n * pywin32, which enables deep access to the Windows API\\n * PythonForWindows, used to interact with system internals such as processes and privileges\\n\\n\\n\\nAnalysis of the Electron app\u2019s JavaScript confirms this. Two heavily obfuscated files, processed using techniques like control-flow flattening and opaque predicates, contain the core functionality.\\n\\nThe larger file (~7 MB) is the main stealer payload, with references to pbkdf2, sha256, and AES decryption routines, as well as a campaign expiry check. The smaller file (~1 MB) targets Discord: because Discord runs on Electron, the script modifies its code to intercept login tokens, payment details, and two-factor authentication changes when the app is opened.\\n\\nBoth files returned zero detections across major antivirus engines\u2014the result of malware that hides inside legitimate software and heavily obfuscated code.\\n\\n## **Two ways it survives a reboot**\\n\\nThe malware sets up two independent persistence mechanisms. \\n\\nFirst, `reg.exe` writes a value called `SecurityHealth` under the user\u2019s CurrentVersion\\\\Run registry key, pointing to `WindowsUpdate.exe.` The value name impersonates Windows Security Health, the service responsible for Defender notifications. It’s something most users and even IT staff would scroll past without suspicion.\\n\\nSecond, `cscript.exe` drops a shortcut file named `Spotify.lnk` into the user\u2019s Startup folder. Anyone who notices it would likely assume Spotify had configured itself to launch at login. \\n\\nTwo persistence mechanisms, two different disguises, each designed to look like something the user would expect to see.\\n\\n## **Fingerprinting the victim, phoning home, uploading the haul**\\n\\nWithin seconds of launching, `WindowsUpdate.exe` reaches out to `www.myexternalip.com` and `ip-api.com` to discover the victim\u2019s public IP address and geolocation. This kind of reconnaissance is a near-universal trait of infostealers, telling the operator where the victim is and may determine what data gets collected.\\n\\nThe malware then contacts its command-and-control (C2) infrastructure. It reaches `datawebsync-lvmv.onrender[.]com`, a C2 endpoint hosted on Render, and `sync-service.system-telemetry.workers[.]dev`, a relay running on Cloudflare Workers. That second domain is particularly crafty: \u201csystem-telemetry\u201d is exactly the kind of subdomain a network analyst might dismiss as legitimate monitoring traffic during a quick log review.\\n\\nFor exfiltration, the malware turns to `store8.gofile[.]io`, a file-sharing service that allows anonymous uploads. Gofile has become a favourite among commodity stealers because it is free, ephemeral, and produces no paper trail for the operator.\\n\\n## **Hundreds of processes killed before breakfast**\\n\\nSandbox telemetry captured more than two hundred separate invocations of `taskkill.exe`, each launched as an individual process. While the specific target processes were not recorded in the condensed telemetry, the sheer volume and pattern is consistent with infostealers that systematically terminate security tools, browser processes (to unlock credential databases), and competing malware before beginning their collection routine. Kill everything that might interfere, then get to work.\\n\\n## **Why the automated defences gave it a pass**\\n\\nAt the time of analysis, VirusTotal showed zero detections across 69 engines for the main executable and 62 for the VBS launcher. No YARA rules matched, and behavioural scoring classified the activity as low risk.\\n\\nThis is not a failure of any single tool. It’s the intended result of the malware\u2019s architecture. \\n\\nThe Electron shell is a legitimate binary used by millions of applications. The malicious logic is hidden inside obfuscated JavaScript, which traditional antivirus tools don\u2019t deeply inspect. The Python payload runs under a misleading process name and pulls in components at runtime from what appear to be normal sources.\\n\\nIndividually, each piece looks harmless. It\u2019s only when you follow the full chain\u2014VBS launcher to Electron app to renamed Python process to data collection and exfiltration\u2014that the activity becomes clearly malicious.\\n\\nSince our analysis, we\u2019ve added detections to protect users from this threat.\\n\\n## **What this means and what to do next**\\n\\nThe combination of a localized phishing lure, a legitimately built MSI installer, an Electron wrapper, and a runtime-deployed Python payload shows how commodity stealers are evolving. Each layer serves a purpose: the MSI provides a familiar installation experience, the Electron shell helps the file appear clean, and the Python runtime gives flexible access to the operating system. The entire chain is built from off-the-shelf, legitimate components.\\n\\nThe targeting of French users follows a clear pattern. When tens of millions of personal records are already circulating, the cost of creating a convincing localized lure drops significantly. An attacker who already knows which provider a victim uses can tailor a phishing page to match what they expect to see, whether that\u2019s from their ISP or, in this case, Microsoft.\\n\\nThe most important takeaway is that a zero-detection VirusTotal result does not mean a file is safe. It often means the malicious logic is hidden, e.g. inside obfuscated scripts or delivered at runtime, leaving little for traditional detection methods to flag.\\n\\nIf you think you may have installed this update, here\u2019s what to do:\\n\\n * Check your registry key. To do this, press **Windows + R** , type `regedit`, and press Enter. Go to `HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run`. Look for an entry named `SecurityHealth` pointing to `WindowsUpdate.exe` in your AppData folder, and delete it.\\n * Look for a `Spotify.lnk` file in your Startup folder that you didn\u2019t create, and remove it Delete the folder `C:\\\\Users\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Programs\\\\WindowsUpdate\\\\ `\\n * Clear the temporary files in `C:\\\\Users\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\tools\\\\ `\\n * Change all passwords stored in your browser\u2014assume saved credentials, cookies, and session tokens may have been compromised\\n * Enable two-factor authentication, prioritizing email and financial accounts\\n * Run a full system scan with an up-to-date antimalware tool (ideally one with behavioural detection)\\n\\n\\n\\n## How to update Windows safely\\n\\nThe safest way to update Windows is through the built-in update feature. Open **Start** , go to **Settings \\u003e Windows Update**, and click \u201cCheck for updates.\u201d This should always be your first port of call.\\n\\n\\n\\nMicrosoft does offer standalone update packages through the Microsoft Update Catalog (`catalog.update.microsoft.com`), but this is the only legitimate source for manual downloads. Any other website offering a Windows update as a file should be treated as suspicious.\\n\\nBe wary of pages that mimic Microsoft Support or Windows Update. These can look convincing, but the URL is what matters. Legitimate Microsoft pages are only served from domains ending in **microsoft.com**. A domain like `microsoft-update[.]support` may look plausible, but it is not connected to Microsoft.\\n\\nIf you receive an email, text, or notification urging you to install an urgent update, don\u2019t click the link. Instead, open **Settings \\u003e Windows Update** and check directly.\\n\\nFinally, consider enabling automatic updates. This removes the need to download updates manually and reduces the chance of being tricked into installing a fake one.\\n\\n## **Indicators of Compromise (IOCs)**\\n\\n**File Hashes (SHA-256)**\\n\\n * `13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60` (`WindowsUpdate.exe`)\\n * `c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650` (`AppLauncher.vbs`)\\n\\n\\n\\n**Domains**\\n\\n * `microsoft-update[.]support` (phishing lure)\\n * `datawebsync-lvmv[.]onrender[.]com` (C2)\\n * `sync-service[.]system-telemetry[.]workers[.]dev` (C2 relay)\\n * `store8[.]gofile[.]io` (exfiltration)\\n * `www[.]myexternalip[.]com` (IP reconnaissance)\\n * `ip-api[.]com` (geolocation)\\n\\n\\n\\n**File System Artifacts**\\n\\n * `C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Programs\\\\WindowsUpdate\\\\WindowsUpdate.exe`\\n * `C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Programs\\\\WindowsUpdate\\\\AppLauncher.vbs`\\n * `C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\Spotify.lnk`”,”published”:”2026-04-09T09:40:52″,”modified”:”2026-04-09T09:40:52″,”type”:”malwarebytes”,”title”:”This fake Windows support website delivers password-stealing malware”,”source”:””,”references”:””,”id”:”MALWAREBYTES:F9A738F46D5B2849BEC7CCA17192FEE6″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/04\/this-fake-windows-support-website-delivers-password-stealing-malware”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-09T10:29:54″,”description”:”A fake Microsoft support website is tricking people into downloading what looks like a normal Windows update. Instead, it installs malware designed to steal passwords,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-42804","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n