A fake Windows support website is distributing malware disguised as Microsoft's upcoming Windows 11 24H2 update, targeting users who search for early access to new features. Security researchers warn this campaign uses sophisticated techniques that make detection difficult for traditional antivirus software.
The malicious site employs a typosquatted domain that closely resembles official Microsoft support pages, complete with authentic-looking branding and KB-style reference numbers. Visitors encounter what appears to be a legitimate cumulative update download page featuring progress bars and familiar Microsoft design elements.
Malwarebytes identified this threat after security researchers flagged the campaign, noting its use of legitimate packaging tools to avoid immediate security software detection. The installer deploys an Electron-based application alongside background scripts that execute additional payloads without user awareness.
Once installed, the malware operates as an information-stealing operation rather than typical system-corrupting software. It gathers passwords stored in browsers along with active browser sessions, which attackers can use to bypass two-factor authentication on various online services.
Stolen credentials and session data get transmitted through encrypted channels to external command-and-control servers.
Early analysis showed zero detections across multiple antivirus engines during initial scans, according to researchers. This evasion occurs because malicious logic gets hidden inside obfuscated scripts layered within legitimate software components. The malware also modifies system startup entries and creates disguised shortcuts in system folders to ensure persistence after reboots.
Microsoft has not released Windows 11 version 24H2 to general users as of April 2026. The company typically follows a predictable release schedule through its Insider Program first before gradual mainstream rollout.
When legitimate updates arrive, they distribute exclusively through Windows Update rather than third-party websites offering early access or special features.
Security experts recommend treating any website claiming to provide full 24H2 downloads as suspicious. Users should obtain updates only through official Microsoft channels and maintain current versions of Windows Security features including Defender Antivirus and SmartScreen for baseline protection against known malware variants.
