A sophisticated phishing campaign has emerged, utilizing a counterfeit Microsoft support website to deceive users into downloading what appears to be a standard Windows update. However, this seemingly innocuous file is, in fact, a conduit for malware designed to harvest sensitive information such as passwords, payment details, and account access. The deceptive nature of the file allows it to evade detection by both users and security tools alike.
A very convincing Windows update
The campaign was identified at microsoft-update[.]support, a cleverly crafted typosquatted domain that mimics an official Microsoft support page. The site is entirely in French, reflecting a targeted approach, and promotes a fake cumulative update for Windows version 24H2, complete with a plausible KB article number. A prominent blue download button encourages users to install the update.
Upon downloading, users receive WindowsUpdate 1.0.0.msi, an 83 MB Windows Installer package. At first glance, the file appears legitimate, with properties that have been meticulously spoofed: the Author field lists “Microsoft,” the title reads “Installation Database,” and the Comments field claims it contains “the logic and data required to install WindowsUpdate.”
This package was constructed using WiX Toolset 4.0.0.5512, an open-source installer framework, and was created on April 4, 2026.
Why this campaign is targeting France
The decision to focus on French-speaking users is strategic. France has experienced a significant number of data breaches over the past two years, resulting in a vast amount of personal information circulating in criminal marketplaces. These breaches provide attackers with the raw data needed to craft highly believable scams.
In October 2024, Free, France’s second-largest internet service provider, confirmed that an attacker had accessed personal data for approximately 19 million subscriber contracts, including bank account details. Just weeks prior, Société Française du Radiotéléphone (SFR) revealed its own breach, exposing customer names, addresses, phone numbers, and banking information.
Earlier in 2024, France Travail, the national public employment service, suffered a breach that compromised the records of 43 million individuals, covering current and past jobseekers over two decades. Additionally, researchers uncovered an unsecured Elasticsearch server aggregating 90 million records from at least 17 separate French breaches.
This flood of leaked data has made France a prime target for credential theft. KELA’s 2025 infostealer research identified France among the top countries for victims, alongside Brazil, India, the US, Spain, the United Kingdom, and Indonesia. When attackers possess a victim’s name, address, and ISP from prior leaks, a French-language “Windows update” page becomes a far more convincing lure than a generic English version.
Electron on the outside, Python on the inside
When the MSI file executes, it installs an Electron application—a lightweight Chromium browser bundled with custom JavaScript—into C:UsersAppDataLocalProgramsWindowsUpdate. The main binary, WindowsUpdate.exe, is a renamed copy of the standard Electron shell, which VirusTotal’s metadata identifies as electron.exe. Across 69 antivirus engines, it received zero detections, indicating that the executable itself is clean. This suggests that the malicious logic resides within the Electron app’s bundled JavaScript, typically packaged as app.asar.
Accompanying the Electron shell is AppLauncher.vbs, a Visual Basic Script that serves as the initial launcher. The system’s built-in cscript.exe interpreter executes the VBS, which subsequently launches the Electron app—a classic living-off-the-land technique that avoids direct payload execution and maintains a routine appearance in process logs.
However, the Electron wrapper is merely the outer layer. Once operational, WindowsUpdate.exe spawns _winhost.exe, a renamed Python 3.10 interpreter disguised as a legitimate Windows process. This process unpacks a full Python runtime into C:UsersAppDataLocalTempWinGettools, including python.exe and supporting libraries.
It then installs a suite of Python packages commonly associated with data theft tools:
- pycryptodome, used for encrypting stolen data
- psutil, utilized to inspect running processes and detect sandbox environments
- pywin32, which enables deep access to the Windows API
- PythonForWindows, used to interact with system internals such as processes and privileges
Analysis of the Electron app’s JavaScript reveals two heavily obfuscated files processed using techniques like control-flow flattening and opaque predicates, containing the core functionality. The larger file (~7 MB) serves as the primary stealer payload, referencing pbkdf2, sha256, and AES decryption routines, along with a campaign expiry check. The smaller file (~1 MB) targets Discord, modifying its code to intercept login tokens, payment details, and two-factor authentication changes when the app is opened.
Both files returned zero detections across major antivirus engines, illustrating how malware can conceal itself within legitimate software and utilize heavily obfuscated code.
Two ways it survives a reboot
The malware employs two independent persistence mechanisms. First, reg.exe writes a value called SecurityHealth under the user’s CurrentVersionRun registry key, pointing to WindowsUpdate.exe. This value name masquerades as Windows Security Health, the service responsible for Defender notifications, something most users and even IT personnel would overlook.
Second, cscript.exe creates a shortcut file named Spotify.lnk in the user’s Startup folder. Anyone who notices it might assume Spotify configured itself to launch at login.
These two persistence mechanisms, each disguised as something users would expect to see, enhance the malware's longevity.
Fingerprinting the victim, phoning home, uploading the haul
Within moments of launching, WindowsUpdate.exe connects to www.myexternalip.com and ip-api.com to ascertain the victim’s public IP address and geolocation. This reconnaissance is a common trait among infostealers, providing the operator with the victim's location and potentially influencing the type of data collected.
The malware subsequently contacts its command-and-control (C2) infrastructure, reaching out to datawebsync-lvmv.onrender[.]com, a C2 endpoint hosted on Render, and sync-service.system-telemetry.workers[.]dev, a relay operating on Cloudflare Workers. The latter domain is particularly insidious; “system-telemetry” is the kind of subdomain a network analyst might dismiss as legitimate monitoring traffic during a cursory log review.
For data exfiltration, the malware utilizes store8.gofile[.]io, a file-sharing service that facilitates anonymous uploads. Gofile has become a preferred choice among commodity stealers due to its ephemeral nature and lack of a paper trail for operators.
Hundreds of processes killed before breakfast
Sandbox telemetry captured over two hundred separate invocations of taskkill.exe, each executed as an individual process. While the specific target processes were not recorded in the condensed telemetry, the sheer volume and pattern align with infostealers that systematically terminate security tools, browser processes (to unlock credential databases), and competing malware before initiating their collection routine. The strategy is clear: eliminate anything that might interfere, then proceed with the task at hand.
Why the automated defenses gave it a pass
At the time of analysis, VirusTotal reported zero detections across 69 engines for the main executable and 62 for the VBS launcher. No YARA rules matched, and behavioral scoring classified the activity as low risk. This outcome is not indicative of a failure of any single tool; rather, it reflects the intended design of the malware.
The Electron shell is a legitimate binary utilized by millions of applications. The malicious logic is concealed within obfuscated JavaScript, which traditional antivirus tools often overlook. The Python payload operates under a misleading process name and dynamically pulls in components from seemingly normal sources.
Individually, each component appears harmless. It is only when one traces the entire chain—from VBS launcher to Electron app to renamed Python process to data collection and exfiltration—that the malicious nature becomes evident.
What this means and what to do next
The combination of a localized phishing lure, a legitimately constructed MSI installer, an Electron wrapper, and a runtime-deployed Python payload exemplifies the evolution of commodity stealers. Each layer serves a specific purpose: the MSI offers a familiar installation experience, the Electron shell helps the file appear clean, and the Python runtime provides flexible access to the operating system. The entire chain is built from off-the-shelf, legitimate components.
The targeting of French users follows a clear pattern. With tens of millions of personal records already in circulation, the cost of creating a convincing localized lure diminishes significantly. An attacker who knows which provider a victim uses can tailor a phishing page to match their expectations, whether from their ISP or, in this instance, Microsoft.
The crucial takeaway is that a zero-detection result on VirusTotal does not guarantee a file's safety. It often indicates that the malicious logic is concealed, such as within obfuscated scripts or delivered at runtime, leaving little for traditional detection methods to flag.
If you suspect you may have installed this update, consider taking the following steps:
- Check your registry key. Press Windows + R, type
regedit, and press Enter. Navigate to HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun. Look for an entry named SecurityHealth pointing to WindowsUpdate.exe in your AppData folder, and delete it.
- Search for a
Spotify.lnk file in your Startup folder that you did not create, and remove it. Delete the folder C:UsersAppDataLocalProgramsWindowsUpdate.
- Clear the temporary files in
C:UsersAppDataLocalTempWinGettools.
- Change all passwords stored in your browser—assume that saved credentials, cookies, and session tokens may have been compromised.
- Enable two-factor authentication, prioritizing email and financial accounts.
- Run a full system scan with an up-to-date antimalware tool (preferably one with behavioral detection).
How to update Windows safely
The safest method to update Windows is through the built-in update feature. Open Start, navigate to Settings > Windows Update, and click “Check for updates.” This should always be your first step.
Microsoft also provides standalone update packages through the Microsoft Update Catalog (catalog.update.microsoft.com), which is the only legitimate source for manual downloads. Any other website offering a Windows update as a file should be approached with caution.
Be vigilant of pages that imitate Microsoft Support or Windows Update. While they may appear convincing, the URL is critical. Authentic Microsoft pages are exclusively served from domains ending in microsoft.com. A domain like microsoft-update[.]support may seem plausible, but it is not affiliated with Microsoft.
If you receive an email, text, or notification urging you to install an urgent update, refrain from clicking the link. Instead, navigate directly to Settings > Windows Update to check for updates.
Lastly, consider enabling automatic updates. This reduces the need for manual downloads and minimizes the risk of inadvertently installing a fraudulent update.
Indicators of Compromise (IOCs)
File Hashes (SHA-256)
13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60 (WindowsUpdate.exe)c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650 (AppLauncher.vbs)
Domains
microsoft-update[.]support (phishing lure)datawebsync-lvmv[.]onrender[.]com (C2)sync-service[.]system-telemetry[.]workers[.]dev (C2 relay)store8[.]gofile[.]io (exfiltration)www[.]myexternalip[.]com (IP reconnaissance)ip-api[.]com (geolocation)
File System Artifacts
C:UsersAppDataLocalProgramsWindowsUpdateWindowsUpdate.exeC:UsersAppDataLocalProgramsWindowsUpdateAppLauncher.vbsC:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupSpotify.lnk
This fake Windows support website delivers password-stealing malware
A sophisticated phishing campaign has emerged, utilizing a counterfeit Microsoft support website to deceive users into downloading what appears to be a standard Windows update. However, this seemingly innocuous file is, in fact, a conduit for malware designed to harvest sensitive information such as passwords, payment details, and account access. The deceptive nature of the file allows it to evade detection by both users and security tools alike.
A very convincing Windows update
The campaign was identified at
microsoft-update[.]support, a cleverly crafted typosquatted domain that mimics an official Microsoft support page. The site is entirely in French, reflecting a targeted approach, and promotes a fake cumulative update for Windows version 24H2, complete with a plausible KB article number. A prominent blue download button encourages users to install the update.Upon downloading, users receive
WindowsUpdate 1.0.0.msi, an 83 MB Windows Installer package. At first glance, the file appears legitimate, with properties that have been meticulously spoofed: the Author field lists “Microsoft,” the title reads “Installation Database,” and the Comments field claims it contains “the logic and data required to install WindowsUpdate.”This package was constructed using WiX Toolset 4.0.0.5512, an open-source installer framework, and was created on April 4, 2026.
Why this campaign is targeting France
The decision to focus on French-speaking users is strategic. France has experienced a significant number of data breaches over the past two years, resulting in a vast amount of personal information circulating in criminal marketplaces. These breaches provide attackers with the raw data needed to craft highly believable scams.
In October 2024, Free, France’s second-largest internet service provider, confirmed that an attacker had accessed personal data for approximately 19 million subscriber contracts, including bank account details. Just weeks prior, Société Française du Radiotéléphone (SFR) revealed its own breach, exposing customer names, addresses, phone numbers, and banking information.
Earlier in 2024, France Travail, the national public employment service, suffered a breach that compromised the records of 43 million individuals, covering current and past jobseekers over two decades. Additionally, researchers uncovered an unsecured Elasticsearch server aggregating 90 million records from at least 17 separate French breaches.
This flood of leaked data has made France a prime target for credential theft. KELA’s 2025 infostealer research identified France among the top countries for victims, alongside Brazil, India, the US, Spain, the United Kingdom, and Indonesia. When attackers possess a victim’s name, address, and ISP from prior leaks, a French-language “Windows update” page becomes a far more convincing lure than a generic English version.
Electron on the outside, Python on the inside
When the MSI file executes, it installs an Electron application—a lightweight Chromium browser bundled with custom JavaScript—into
C:UsersAppDataLocalProgramsWindowsUpdate. The main binary,WindowsUpdate.exe, is a renamed copy of the standard Electron shell, which VirusTotal’s metadata identifies aselectron.exe. Across 69 antivirus engines, it received zero detections, indicating that the executable itself is clean. This suggests that the malicious logic resides within the Electron app’s bundled JavaScript, typically packaged asapp.asar.Accompanying the Electron shell is
AppLauncher.vbs, a Visual Basic Script that serves as the initial launcher. The system’s built-incscript.exeinterpreter executes the VBS, which subsequently launches the Electron app—a classic living-off-the-land technique that avoids direct payload execution and maintains a routine appearance in process logs.However, the Electron wrapper is merely the outer layer. Once operational,
WindowsUpdate.exespawns_winhost.exe, a renamed Python 3.10 interpreter disguised as a legitimate Windows process. This process unpacks a full Python runtime intoC:UsersAppDataLocalTempWinGettools,includingpython.exeand supporting libraries.It then installs a suite of Python packages commonly associated with data theft tools:
Analysis of the Electron app’s JavaScript reveals two heavily obfuscated files processed using techniques like control-flow flattening and opaque predicates, containing the core functionality. The larger file (~7 MB) serves as the primary stealer payload, referencing pbkdf2, sha256, and AES decryption routines, along with a campaign expiry check. The smaller file (~1 MB) targets Discord, modifying its code to intercept login tokens, payment details, and two-factor authentication changes when the app is opened.
Both files returned zero detections across major antivirus engines, illustrating how malware can conceal itself within legitimate software and utilize heavily obfuscated code.
Two ways it survives a reboot
The malware employs two independent persistence mechanisms. First,
reg.exewrites a value calledSecurityHealthunder the user’s CurrentVersionRun registry key, pointing toWindowsUpdate.exe.This value name masquerades as Windows Security Health, the service responsible for Defender notifications, something most users and even IT personnel would overlook.Second,
cscript.execreates a shortcut file namedSpotify.lnkin the user’s Startup folder. Anyone who notices it might assume Spotify configured itself to launch at login.These two persistence mechanisms, each disguised as something users would expect to see, enhance the malware's longevity.
Fingerprinting the victim, phoning home, uploading the haul
Within moments of launching,
WindowsUpdate.execonnects towww.myexternalip.comandip-api.comto ascertain the victim’s public IP address and geolocation. This reconnaissance is a common trait among infostealers, providing the operator with the victim's location and potentially influencing the type of data collected.The malware subsequently contacts its command-and-control (C2) infrastructure, reaching out to
datawebsync-lvmv.onrender[.]com, a C2 endpoint hosted on Render, andsync-service.system-telemetry.workers[.]dev, a relay operating on Cloudflare Workers. The latter domain is particularly insidious; “system-telemetry” is the kind of subdomain a network analyst might dismiss as legitimate monitoring traffic during a cursory log review.For data exfiltration, the malware utilizes
store8.gofile[.]io, a file-sharing service that facilitates anonymous uploads. Gofile has become a preferred choice among commodity stealers due to its ephemeral nature and lack of a paper trail for operators.Hundreds of processes killed before breakfast
Sandbox telemetry captured over two hundred separate invocations of
taskkill.exe, each executed as an individual process. While the specific target processes were not recorded in the condensed telemetry, the sheer volume and pattern align with infostealers that systematically terminate security tools, browser processes (to unlock credential databases), and competing malware before initiating their collection routine. The strategy is clear: eliminate anything that might interfere, then proceed with the task at hand.Why the automated defenses gave it a pass
At the time of analysis, VirusTotal reported zero detections across 69 engines for the main executable and 62 for the VBS launcher. No YARA rules matched, and behavioral scoring classified the activity as low risk. This outcome is not indicative of a failure of any single tool; rather, it reflects the intended design of the malware.
The Electron shell is a legitimate binary utilized by millions of applications. The malicious logic is concealed within obfuscated JavaScript, which traditional antivirus tools often overlook. The Python payload operates under a misleading process name and dynamically pulls in components from seemingly normal sources.
Individually, each component appears harmless. It is only when one traces the entire chain—from VBS launcher to Electron app to renamed Python process to data collection and exfiltration—that the malicious nature becomes evident.
What this means and what to do next
The combination of a localized phishing lure, a legitimately constructed MSI installer, an Electron wrapper, and a runtime-deployed Python payload exemplifies the evolution of commodity stealers. Each layer serves a specific purpose: the MSI offers a familiar installation experience, the Electron shell helps the file appear clean, and the Python runtime provides flexible access to the operating system. The entire chain is built from off-the-shelf, legitimate components.
The targeting of French users follows a clear pattern. With tens of millions of personal records already in circulation, the cost of creating a convincing localized lure diminishes significantly. An attacker who knows which provider a victim uses can tailor a phishing page to match their expectations, whether from their ISP or, in this instance, Microsoft.
The crucial takeaway is that a zero-detection result on VirusTotal does not guarantee a file's safety. It often indicates that the malicious logic is concealed, such as within obfuscated scripts or delivered at runtime, leaving little for traditional detection methods to flag.
If you suspect you may have installed this update, consider taking the following steps:
regedit, and press Enter. Navigate toHKCUSOFTWAREMicrosoftWindowsCurrentVersionRun. Look for an entry namedSecurityHealthpointing toWindowsUpdate.exein your AppData folder, and delete it.Spotify.lnkfile in your Startup folder that you did not create, and remove it. Delete the folderC:UsersAppDataLocalProgramsWindowsUpdate.C:UsersAppDataLocalTempWinGettools.How to update Windows safely
The safest method to update Windows is through the built-in update feature. Open Start, navigate to Settings > Windows Update, and click “Check for updates.” This should always be your first step.
Microsoft also provides standalone update packages through the Microsoft Update Catalog (
catalog.update.microsoft.com), which is the only legitimate source for manual downloads. Any other website offering a Windows update as a file should be approached with caution.Be vigilant of pages that imitate Microsoft Support or Windows Update. While they may appear convincing, the URL is critical. Authentic Microsoft pages are exclusively served from domains ending in microsoft.com. A domain like
microsoft-update[.]supportmay seem plausible, but it is not affiliated with Microsoft.If you receive an email, text, or notification urging you to install an urgent update, refrain from clicking the link. Instead, navigate directly to Settings > Windows Update to check for updates.
Lastly, consider enabling automatic updates. This reduces the need for manual downloads and minimizes the risk of inadvertently installing a fraudulent update.
Indicators of Compromise (IOCs)
File Hashes (SHA-256)
13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60(WindowsUpdate.exe)c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650(AppLauncher.vbs)Domains
microsoft-update[.]support(phishing lure)datawebsync-lvmv[.]onrender[.]com(C2)sync-service[.]system-telemetry[.]workers[.]dev(C2 relay)store8[.]gofile[.]io(exfiltration)www[.]myexternalip[.]com(IP reconnaissance)ip-api[.]com(geolocation)File System Artifacts
C:UsersAppDataLocalProgramsWindowsUpdateWindowsUpdate.exeC:UsersAppDataLocalProgramsWindowsUpdateAppLauncher.vbsC:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupSpotify.lnk