Even though I've been immersed in all things tech for some time now, I'm not arrogant enough to think I'll never be caught out by a phishing email or downloading dodgy software. That's especially true as online scams grow in sophistication—for instance, there is a fake Windows support page that tricks users into downloading password-stealing malware targeting the latest version 24H2.
This deceptive site alleges a critical 'cumulative update' for Windows Update version 24H2, complete with a KB article number that looks passable at a glance. Anyone who actually hits the big blue 'Download the update' button will receive a convincingly spoofed Windows Installer package instead of legitimate software. Unfortunately, this download is actually malicious code capable of hoovering up "passwords, payment details, and account access," according to cybersecurity company Malwarebytes.
How Fake Cumulative Updates Bypass Security Defenses
Even downloading the dodgy software may not raise alarm bells at first glance because the package appears technically sound. The suspicious file was built using WiX Toolset 4.0.0.5512, which Malwarebytes describes as "a legitimate open-source installer framework." This 83 MB package is named 'WindowsUpdate 1.0.0.msi,' featuring an Author field that reads "Microsoft" and a title of "Installation Database."
The comments field further claims the file offers "the logic and data required to install WindowsUpdate," making it look like a standard system component. So, this construction helps the fake Windows support website escape user notice while also potentially squeaking past your installed anti-virus software. The scammers have engineered this specifically to evade detection by relying on trusted components to hide malicious intent.
The situation became clear once analysts cracked open the package, revealing an Electron shell obfuscating malicious JavaScript inside. Your PC's automatic defences will likely flag the outer Electron layer, which is a free and open-source software framework used by plenty of legitimate apps. However, they won't wade far enough in to uncover the suss script at its core where the credential sniffing logic resides.
According to Malwarebytes, "At the time of analysis, VirusTotal showed zero detections across 69 engines for the main executable and 62 for the VBS launcher." They added that "No YARA rules matched, and behavioural scoring classified the activity as low risk," noting this is not a failure but an intended result. The malware's architecture was specifically designed to appear harmless while silently stealing sensitive data from victims.
Identifying the Phishing Domain and Legitimate Updates
While the technical construction is impressive, there is a key giveaway should you find yourself on this fake Windows website. You must keep your eyes peeled for the dodgy domain 'microsoft-update[.]support,' as Microsoft's genuine support hub is found at 'support.microsoft.com'. This subtle difference in the URL is often the only clue separating legitimate updates from sophisticated scams.
Microsoft company also offers its own guide on how to download and install Windows updates legitimately for anyone unclear about the process. The bottom line of their official advice points users towards 'Windows Update' under 'Settings' in your operating system's Start menu, rather than an external webpage like the one in the scam. Relying on these built-in OS features ensures you receive verified patches without the risk of infection.
To help users navigate this landscape, Malwarebytes has updated its anti-virus offering to better detect the latest suss software and now offers a full rundown of what to do next if you suspect you've downloaded it by mistake. The company emphasizes that after all, it can happen to anyone given how sophisticated these campaigns have become.
Key indicators of this specific threat include:
- The use of the non-standard domain 'microsoft-update[.]support' instead of official Microsoft URLs.
- A file named 'WindowsUpdate 1.0.0.msi' with a spoofed "Microsoft" author field.
- Zero detections on VirusTotal at the time of analysis due to obfuscation techniques.
- The use of an Electron shell to hide malicious JavaScript within a legitimate-looking installer.
It is striking the lengths the scammers have gone to ensure this malicious page passes muster, but staying vigilant about where you download updates is crucial. Always verify URLs and rely on your operating system's native update mechanisms to keep your Windows Update version 24H2 secure from such threats.
