When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Beware: Microsoft lookalike fake Windows 11 download website unsurprisingly downloads virus

Neowin · with 24 comments

Windows logo against red circular shapes and a dark background

Ever since Windows 11 was first announced back in June of 2021, there have been many campaigns aimed at duping people into downloading fake malicious Windows 11 installers. While that activity seemed to die down for a while, it looks like it is back again and this time, the situation is probably much deadlier.

That's because Windows 11 back then was not available to the public but only to Insiders, who are presumably more tech-savvy and informed. However, Windows 11 has since been generally available making it a dangerous scenario nowadays.

A new malware campaign of similar nature was discovered by CloudSEK cybersecurity firm as it noticed a new impostor website that looks like Microsoft's, but in reality, distributes files containing what the researchers are calling "Inno Stealer" malware due to the use of Inno Setup Windows installer. This is a novel stealer malware as no similar sample was found on Virus Total.

The malicious website's URL is "windows11-upgrade11[.]com" and it appears that the threat actors of the Inno Stealer campaign took a page from another similar malware campaign a couple of months ago which was using the same trick to fool potential victims. The last one was already taken down at the time of reporting but the new one is still up so it is advised to readers to trade carefully.

Fake Windows 11 download website

CloudSEK says that upon downloading the infected ISO, multiple processes are run in the background to neutralize an infected user's system. It creates Windows Command Scripts to disable Registry security, adds Defender exceptions, uninstalls security products, and deletes shadow volumes.

Finally, an .SCR file is created which is the one which actually delivers the malicious payload, in this case, the novel Inno Stealer malware in the following directory of a compromised system:

C:\Users\\AppData\Roaming\Windows11InstallationAssistant

The name of the malware payload file is "Windows11InstallationAssistant.scr".

Here is the entire process explained in a diagram:

Inno Stealer targets

CloudSEK has identified the following targets, including browsers and crypto wallets, that the Inno info stealer malware is after. These are shown in the image below. First up we have the browsers followed by the crypto wallets:

Inno Stealer targets

Here is the official link to download Windows from the real Microsoft website. You can also follow reputed news websites like Neowin, among others, as we often link to official Microsoft ISO download pages when they are released by the Redmond firm.

Source and images: CloudSEK via BleepingComputer

Report a problem with article
An infographic containing silhouettes of people at the bottom and icons for their digital activities
Next Article

Scraping data from websites is not hacking or a crime, rules Appeals Court in US

linux ebooks
Previous Article

Pay What You Want for this Linux eBook Bundle by Packt

Join the conversation!

Login or Sign Up to read and post a comment.

24 Comments - Add comment