Windows 10 malware steals your passwords disguised as a Windows 11 upgrade

HP has discovered fake Windows 11 install versions targeting Windows 10 users to download and run RedLine stealer malware. We have already published this malware that is created to hijack and steal passwords and cookies from our browsers and in recent months it has arrived inside password managers and hidden in information from the Omicron variant of Covid.


Researchers from HP, the company that has made this information public, say that the beginning of these attacks coincided with the moment when Microsoft announced the extension of the Windows 11 deployment phase, a few days ago, “so the attackers were well prepared for this move and waited for the right moment to maximize the success of their operation,” according to HP.


You might be interested in 2018-11 update for windows 10 version 1803 for x64-based systems (kb4023057) – error 0x80070643


Have I Been Pwned integrates over 220 million new pieces of data: so you can see if your password was stolen in a recent breach

RedLine stealer is currently the most widespread hijacker for passwords, browser cookies, credit cards and cryptocurrency wallets out there. According to the researchers, the hackers used a real-looking URL: “windows-upgraded.com” (as you can see in the cover photo) to distribute their malware.

Ransomware: what it is, how it infects and how to protect yourself

This is how it infects users

A Windows 10 user receives a notification to download Windows 11 and they can access “windows-upgraded.com” with it. If you click the “Download Now” button, you receive a 1.5 MB ZIP file called “Windows11InstallationAssistant.zip”, obtained directly from a Discord CDN. Unzipping the file results in a 753MB folder.

When the victim launches the executable in the folder, an encrypted PowerShell process is started. Next, a cmd.exe process is launched, it waits a few seconds, and after that, a .jpg file is obtained from a remote web server. “This file contains a DLL with contents arranged backwards, possibly to evade detection and analysis,” experts say.

Microsoft says Windows 11 is the best-received Windows ever, but offers no data to prove it

Finally, the initial process loads the DLL, which is a RedLine Stealer payload that connects to the command and control server via TCP to get instructions on what malicious tasks it has to run next on the system that is now compromised.

Researchers have discovered that this distribution site is now down, but they say it doesn’t seem difficult that it would be possible to create a new domain and restart a similar campaign. Windows 11 is a software update from Microsoft that many Windows 10 users cannot easily obtain through official distribution channels due to hardware incompatibilities.