A fake Microsoft support website is tricking people into downloading what looks like a normal Windows security update, but the file installs malware built to steal passwords, payment details and account access. The campaign was spotted at microsoft-update[.]support, a typosquatted domain dressed up to look like an official Microsoft support page.
The site is written entirely in French and offers a fake cumulative update for Windows version 24H2 under a plausible KB article number. A large blue download button sends visitors to WindowsUpdate 1.0.0.msi, an 83 MB Windows Installer package whose file properties spoof Microsoft as the author and call itself an Installation Database. The comments field says it contains the logic and data required to install WindowsUpdate, and the package was built with WiX Toolset 4.0.0.5512 on April 4, 2026.
When the MSI runs, it installs an Electron application to C:\Users\<USER>\AppData\Local\Programs\WindowsUpdate\, where the main binary is WindowsUpdate.exe, a renamed copy of the standard Electron shell. VirusTotal metadata identifies that binary as electron.exe, and across 69 antivirus engines it drew zero detections. Another file, AppLauncher.vbs, sits alongside it, while the malicious logic likely lives inside the Electron app’s bundled JavaScript.
The lure lands in a country that has spent the past two years absorbing one breach after another. In October 2024, Free said an attacker had accessed personal data for roughly 19 million subscriber contracts, including bank account details. Weeks earlier, SFR disclosed a breach exposing customer names, addresses, phone numbers and banking details. Earlier in 2024, France Travail suffered an intrusion that compromised the records of 43 million people, including current and past jobseekers spanning two decades.
That spill of personal information has made French-language social engineering easier to tailor. Researchers also found an unprotected Elasticsearch server aggregating 90 million records from at least 17 separate French breaches into a single database, and KELA’s 2025 infostealer research listed France among the top countries for victims alongside Brazil, India, the US, Spain, the United Kingdom and Indonesia. For anyone who sees a polished Windows update prompt in French today, the risk is not abstract: one click can hand over credentials before the victim realizes the update was fake.
