Fake Windows 11 installers download RedLine malware onto computers

Fake Windows 11 installers
Written by Emma Davis

Cybercriminals have begun using fake Windows 11 installers to lure users that want to upgrade the previous version of the operating system, Windows 10.

In fact, victims receive RedLine malware on their computers, which steals their data. The campaign of RedLine operators started immediately after Microsoft announced the stage of wide implementation of Windows 11. Moreover, it is remarkable that the attackers were well prepared and were just waiting for the right moment.

RedLine currently holds the lead among information-stealing malware. It is interested in passwords, cookies, bank card data and cryptocurrency wallets. For example, as of October 2021, RedLine was the main supplier of stolen information to the dark web forums.

As researchers from HP found out, the attackers use the seemingly legitimate domain “windows-upgraded.com” in the campaign. The web resource itself looks like the official Microsoft website, which contains the “Download Now” button.

Whoever is behind this attack has put a lot of careful thought into it. For one, Windows 11 is the latest OS upgrade from Microsoft, one that heavily depends on the hardware specs of the device. As such, is not available to all Windows 10 users through the OS’ system upgrade feature. The malicious actors have taken advantage of this fact, setting up new domains that impersonate Microsoft.Cybersecurity researchers from HP say.

If the user clicks on the “Download Now” button, a 1.5MB ZIP file named “Windows11InstallationAssistant.zip” will be downloaded to the computer. When opened, the archive creates a 753 MB directory, which demonstrates an impressive compression ratio of 99.8%. As soon as the user launches the executable file from this folder, a PowerShell process with an encrypted argument is automatically activated.

Next, cmd.exe starts and reads some .jpg file stored on a remote server. This file contains a DLL with content in reverse order. Experts believe that attackers use this technique to avoid detection and analysis.

In the final phase of infection, a DLL file is loaded, which is RedLine itself. The malware connects to the C&C via TCP and receives instructions.

Experts advise being extremely careful when downloading Windows 11 images or the corresponding upgrade. It’s always best to trust the official update procedure. And, for example, read our instruction: How to install Windows 11?

Let me remind you that we also wrote that Windows 11 update fixes performance issue for AMD processors.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply