A fake Windows support website is pushing malware disguised as Microsoft’s upcoming Windows 11 24H2 update. The site uses a typosquatted domain that closely resembles an official Microsoft support page and shows visitors a counterfeit cumulative update download screen with progress bars and familiar design elements.
Malwarebytes identified the threat after security researchers flagged the campaign. In early scans, the malware showed zero detections across multiple antivirus engines, a reminder that a convincing page can be only the first layer of the trap. The installer drops an Electron-based application and background scripts that run additional payloads without the user noticing, then harvests passwords stored in browsers and active browser sessions before sending the stolen data through encrypted channels to external command-and-control servers.
The timing matters because Microsoft has not released Windows 11 version 24H2 to general users as of April 2026, and legitimate updates still arrive only through Windows Update. That gap gives attackers room to exploit people looking for early access or special features, even though Microsoft typically moves software first through its Insider Program before a wider rollout.
The campaign also tries to stay on machines after the download is over. It modifies startup entries and creates disguised shortcuts in system folders so the malware can return after reboots, turning what looks like a one-time install into a persistent compromise. The clearest safeguard is also the simplest one: if an update is not arriving through Windows Update, it is not a legitimate release.