Emerging Threat: Typosquatted Domain Mimics Microsoft Support
A recent discovery by Malwarebytes has unveiled a sophisticated cyber threat that leverages a typosquatted domain, closely mimicking official Microsoft support pages. This malicious site employs authentic-looking branding and KB-style reference numbers, creating a deceptive environment for unsuspecting visitors. Upon arrival, users are greeted by what appears to be a legitimate cumulative update download page, complete with progress bars and familiar design elements associated with Microsoft.
Security researchers have flagged this campaign for its clever use of legitimate packaging tools, which allows the malware to evade immediate detection by security software. The installer, once executed, deploys an Electron-based application alongside background scripts that operate stealthily, executing additional payloads without the user’s awareness.
Unlike traditional malware that seeks to corrupt systems, this particular strain functions as an information-stealing operation. It meticulously gathers passwords stored in browsers and active browser sessions, providing attackers with the means to bypass two-factor authentication on various online services. The stolen credentials and session data are then transmitted through encrypted channels to external command-and-control servers, further complicating detection efforts.
Initial analyses revealed a concerning trend: zero detections across multiple antivirus engines during early scans. This evasion tactic is attributed to the malicious logic being concealed within obfuscated scripts, layered within seemingly legitimate software components. Additionally, the malware modifies system startup entries and creates disguised shortcuts in system folders, ensuring its persistence even after system reboots.
As of April 2026, Microsoft has yet to release Windows 11 version 24H2 to general users, adhering to its established release schedule through the Insider Program before a gradual mainstream rollout. Users should remain vigilant, as legitimate updates are exclusively distributed through Windows Update, not through third-party websites promising early access or special features.
In light of these developments, security experts strongly advise treating any website claiming to offer full 24H2 downloads as suspicious. Users are encouraged to obtain updates solely through official Microsoft channels and to maintain current versions of Windows Security features, including Defender Antivirus and SmartScreen, to ensure a baseline protection against known malware variants.
