Security updates normally signal relief. Patch Tuesday arrives, systems update, and known vulnerabilities get closed. But a recent campaign flips that idea on its head by disguising malware as a Windows update itself.
Researchers at Malwarebytes recently uncovered a malicious installer posing as an update for Microsoft Windows 11 version 24H2. Instead of fixing security problems, the fake update quietly collects browser passwords, session cookies, and account data from infected machines.
The trap starts with a convincing support page that mimics legitimate help resources from Microsoft. Visitors are told they need to install a “cumulative update” and are offered a download called WindowsUpdate 1.0.0.msi. At first glance, the file looks legitimate. It uses standard installation packaging and even includes spoofed Microsoft metadata to reinforce the illusion. Once installed, the program behaves very differently from a real system update.
What Happens After Installation
Running the installer sets off a chain of scripts and tools already present in Windows. The malware places an Electron-based application inside the AppData directory and launches it using cscript.exe, a built-in Windows scripting tool.
From there, the process loads a disguised Python environment that pulls in additional modules designed to harvest sensitive information.
The data collection focuses on the places attackers value most: web browsers and messaging platforms. Passwords saved in browsers, authentication cookies, and active account sessions are extracted and sent to remote servers controlled by the attackers. Researchers also found that information linked to Discord accounts was targeted.
Persistence is another key part of the operation. The malware installs itself to run at every system restart by creating a registry entry called SecurityHealth. It also drops a startup shortcut disguised as Spotify.lnk, helping the malware blend into a system’s normal startup behaviour.
Why This Attack Works
The strategy relies on a simple but effective idea: trust in updates. Regular patch cycles encourage users to install security fixes quickly. Attackers exploit that habit by presenting malware as a routine upgrade.
Real updates from Windows Update arrive directly through the operating system’s settings panel or official Microsoft domains. This campaign pushes victims toward a separate download site that only imitates those sources.
How to Stay Safe
The safest way to install updates for Microsoft Windows 11 is through the system’s built-in update tool. Open Windows Update in Settings and install patches directly from there rather than downloading installers from external websites.
Be cautious of support pages that push update downloads. Even when a page looks legitimate or carries Microsoft branding, attackers often mimic official websites closely. If an update requires downloading a file manually, confirm that the source is an official Microsoft domain before running anything.
Users should also avoid running unexpected .msi installers that claim to contain system updates. Real cumulative updates rarely appear as standalone downloads promoted through random support pages.
For anyone who may have installed the fake update, the response should be immediate. Remove suspicious files, delete unusual startup entries such as the SecurityHealth registry key or unknown shortcuts, and run a full system malware scan. Changing passwords for accounts saved in browsers is also important, since those credentials may already be exposed.
Security habits matter just as much as security software. Keeping updates within the official update system and avoiding external installers remains one of the simplest ways to prevent attacks like this.
Ogbonda Chivumnovu
