Cybersecurity firm Malwarebytes has unveiled a concerning discovery: a counterfeit Windows support site purporting to offer a “cumulative update” for Windows 11 24H2. At first glance, the page and its associated file may appear innocuous, but a deeper investigation reveals a more sinister intent.
Upon clicking the “Download Update” button, users unwittingly download an 83MB package designed to compromise sensitive information, including passwords, payment details, and account access. This deceptive package is constructed using WiX Toolset 4.0.0.5512, a legitimate open-source installer, lending it an air of authenticity.
The file, labeled WindowsUpdate 1.0.0.msi, misleadingly lists Microsoft as the author in the appropriate field, while the name field indicates “Installation Database.” The accompanying comment claims to contain the “logic and data required to install WindowsUpdate.”
Detection Challenges
In a recent analysis, Malwarebytes noted that VirusTotal reported zero detections across 69 engines for the main executable and 62 for the VBS launcher. No YARA rules matched, and behavioral scoring categorized the activity as low risk. This scenario highlights a critical point: the architecture of the malware is designed to evade detection.
“This is not a failure of any single tool. It’s the intended result of the malware’s architecture. The Electron shell is a legitimate binary used by millions of applications. The malicious logic is hidden inside obfuscated JavaScript, which traditional antivirus tools don’t deeply inspect. The Python payload runs under a misleading process name and pulls in components at runtime from what appear to be normal sources,”
the company elaborated on the complexities of identifying such malware.
“Individually, each piece looks harmless. It’s only when you follow the full chain — VBS launcher to Electron app to renamed Python process to data collection and exfiltration — that the activity becomes clearly malicious.”
The website’s address includes the string microsoft-update.support, a subtle yet significant deviation from the legitimate technical support address, support.microsoft.com. In response to this threat, Malwarebytes has promptly added the malicious site to its malware detection service database, reinforcing the importance of vigilance in the face of increasingly sophisticated cyber threats.
