{
	"id": "d77b037d-269b-4c24-b1e9-cb6d2a14ab61",
	"created_at": "2026-04-06T00:15:06.68332Z",
	"updated_at": "2026-04-10T03:21:20.869162Z",
	"deleted_at": null,
	"sha1_hash": "0d9795725a63b9eaffc5bbc900d27d0de91bcd47",
	"title": "Attackers Disguise RedLine Stealer as a Windows 11 Upgrade",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 849497,
	"plain_text": "Attackers Disguise RedLine Stealer as a Windows 11 Upgrade\r\nBy Patrick Schläpfer\r\nPublished: 2022-02-08 · Archived: 2026-04-05 22:42:44 UTC\r\nThreat actors are always looking for topical lures to socially engineer victims into infecting systems. We recently\r\nanalyzed one such lure, namely a fake Windows 11 installer. On 27 January 2022, the day after the final phase of the\r\nWindows 11 upgrade was announced, we noticed a malicious actor registered the domain windows-upgraded[.]com,\r\nwhich they used to spread malware by tricking users into downloading and running a fake installer. The domain caught\r\nour attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcment.\r\nThe threat actor used this domain to distribute RedLine Stealer, an information stealing malware family that is widely\r\nadvertised for sale within underground forums.\r\nDomain Name: windows-upgraded.com\r\nCreation Date: 2022-01-27T10:06:46Z\r\nRegistrar: NICENIC INTERNATIONAL GROUP CO., LIMITED\r\nRegistrant Organization: Ozil Verfig\r\nRegistrant State/Province: Moscow\r\nRegistrant Country: RU\r\nThe attackers copied the design of the legitimate Windows 11 website, except clicking on the “Download Now” button\r\ndownloads a suspicious zip archive called Windows11InstallationAssistant.zip. The file was hosted on Discord’s content\r\ndelivery network.\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 1 of 7\n\nFigure 1 – Fake Windows 11 website hosted on windows-upgraded[.]com.\r\nFile Analysis\r\nWindows11InstallationAssistant.zip is only 1.5 MB and contains six Windows DLLs, an XML file and a portable\r\nexecutable.\r\nFigure 2 – Zip archive contents.\r\nAfter decompressing the archive, we get a folder with a total size of 753 MB. The executable\r\nWindows11InstallationAssistant.exe was the largest file at 751 MB.\r\nFigure 3 – File sizes after decompression.\r\nSince the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%.\r\nThis is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 2 of 7\n\nratio, the executable likely contains padding that is extremely compressible. Viewed in a hex editor, this padding is easily\r\nspotted (Figure 4).\r\nFigure 4 –\r\n0x30 filler area inside Windows11InstallationAssistant.exe.\r\nA large part of the file is padded with 0x30 bytes and is irrelevant to run the file. Since many sandboxes and other\r\nmalware analysis tools are unable to process very large files, we must either analyze the file manually or shrink it to a\r\nreasonable size. The large filler area is located at the end of the file just before the file signature. Due to a digest\r\nmismatch, the signature verification results in an error, which is why we did not include it further in the analysis. By\r\ntruncating the filler area as well as the signature, we obtain a valid portable executable. One reason why the attackers\r\nmight have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware.\r\nFigure 5 shows the sections of the executable after removing the padding.\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 3 of 7\n\nFigure 5 – File\r\nsections of Windows11InstallationAssistant.exe (padding removed) viewed in PE-bear.\r\nDynamic Analysis\r\nWe can now analyze this file dynamically in a sandbox or with static malware analysis tools. Immediately after\r\nexecution, the malware starts a PowerShell process with an encoded argument. This causes a cmd.exe process to be\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 4 of 7\n\nlaunched with a timeout of 21 seconds. Once this timeout expires, the initial process downloads a file named win11.jpg\r\nfrom a remote web server (Figure 6).\r\nFigure 6 – Process execution leading to RedLine Stealer.\r\nRunning the file utility against win11.jpg fails to identify its file type, suggesting that it is encoded or encrypted.\r\nHowever, opening the file in a text editor revealed that the contents are simply stored in reverse order.\r\nFigure 7 – Reversed DLL file viewed in a text editor.\r\nOnce the contents of the file are reversed, we get a dynamic link library (DLL). This DLL is loaded by the initial process,\r\nwhich executes itself again then replaces the current thread context with the downloaded DLL. This is the RedLine\r\nStealer payload, a classic information stealer. It collects various information about the current execution environment,\r\nsuch as the username, computer name, installed software and hardware information. The malware also steals stored\r\npasswords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and\r\nwallets. To exfiltrate information or receive further instructions, RedLine Stealer opens a TCP connection to a configured\r\ncommand and control (C2) server, in this case 45.146.166[.]38:2715.\r\nLinks to December 2021 RedLine Stealer Campaign\r\nThe tactics, techniques and procedures (TTPs) in this RedLine Stealer campaign are similar to a campaign we analyzed in\r\nDecember 2021. In that campaign, the malicious actor registered discrodappp[.]com, which they used to serve RedLine\r\nStealer disguised as an installer for the popular messaging app. In both campaigns, the threat actor used fake websites\r\nmimicking popular software to trick users into installing their malware, registered the domains using the same domain\r\nregistrar, used the same DNS servers, and delivered the same family of malware.\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 5 of 7\n\nFigure 8 – Fake Discord website distributing RedLine Stealer, December 2021.\r\nConclusion\r\nThis campaign highlights once again how attackers are quick to take advantage of important, relevant and interesting\r\ncurrent events to create effective lures. Prominent announcements and events are always interesting topics for threat\r\nactors, which can be exploited to spread malware. Since such campaigns often rely on users downloading software from\r\nthe web as the initial infection vector, organizations can prevent such infections by only downloading software from\r\ntrustworthy sources.\r\nIndicators of Compromise\r\nFiles\r\nWindows11InstallationAssistant.zip\r\n4293d3f57543a41005be740db7c957d03af1a35c51515585773cedee03708e54\r\nWindows11InstallationAssistant.exe\r\nb50b392ccb07ed7a5da6d2f29a870f8e947ee36c43334c46c1a8bb21dac5992c\r\nWindows11InstallationAssistant.exe – no filler area\r\n7d5ed583d7efe318fdb397efc51fd0ca7c05fc2e297977efc190a5820b3ee316\r\nwin11.jpg\r\nc7bcdc6aecd2f7922140af840ac9695b1d1a04124f1b3ab1450062169edd8e48\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 6 of 7\n\nwin11_reversed.dll\r\n6b089a4f4fde031164f3467541e0183be91eee21478d1dfe4e95c4a0bb6a6578\r\nNetwork connections\r\nwindows-upgraded[.]com\r\nhxxps://cdn.discordapp[.]com/attachments/928009932928856097/936319550855716884/Windows11InstallationAssistant.zip\r\nhxxp://81.4.105[.]174/win11.jpg\r\n45.146.166[.]38:2715\r\nSource: https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nhttps://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/"
	],
	"report_names": [
		"redline-stealer-disguised-as-a-windows-11-upgrade"
	],
	"threat_actors": [],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d9795725a63b9eaffc5bbc900d27d0de91bcd47.pdf",
		"text": "https://archive.orkl.eu/0d9795725a63b9eaffc5bbc900d27d0de91bcd47.txt",
		"img": "https://archive.orkl.eu/0d9795725a63b9eaffc5bbc900d27d0de91bcd47.jpg"
	}
}