{
	"id": "974eb4d6-3a93-4d79-8576-dd9a9b052222",
	"created_at": "2026-04-06T00:12:09.868646Z",
	"updated_at": "2026-04-10T03:21:54.871859Z",
	"deleted_at": null,
	"sha1_hash": "d0abf8f12385cebe718d67db29c0852dffd1d07d",
	"title": "Fake Windows 11 upgrade installers infect you with RedLine malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2453993,
	"plain_text": "Fake Windows 11 upgrade installers infect you with RedLine malware\r\nBy Bill Toulas\r\nPublished: 2022-02-09 · Archived: 2026-04-05 22:41:23 UTC\r\nThreat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into\r\ndownloading and executing RedLine stealer malware.\r\nThe timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so\r\nthe attackers were well-prepared for this move and waited for the right moment to maximize their operation's success.\r\nRedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet\r\ninfo grabber, so its infections can have dire consequences for the victims.\r\nhttps://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe campaign\r\nAccording to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate “windows-upgraded.com” domain for the malware distribution part of their campaign.\r\nThe site appears like a genuine Microsoft site and, if the visitor clicked on the ‘Download Now’ button, they received a 1.5\r\nMB ZIP archive named “Windows11InstallationAssistant.zip,” fetched directly from a Discord CDN.\r\nFake website used for malware distribution (HP)\r\nDecompressing the file results in a folder of 753MB of size, showcasing an impressive compression ratio of 99.8%,\r\nachieved thanks to the presence of padding in the executable.\r\nWhen the victim launches the executable in the folder, a PowerShell process with an encoded argument starts.\r\nNext, a cmd.exe process is launched with a timeout of 21 seconds, and after that expires, a .jpg file is fetched from a remote\r\nweb server.\r\nThis file contains a DLL with contents arranged in reverse form, possibly to evade detection and analysis.\r\nFinally, the initial process loads the DLL and replaces the current thread context with it. That DLL is a RedLine stealer\r\npayload that connects to the command-and-control server via TCP to get instructions on what malicious tasks it has to run\r\nnext on the newly compromised system.\r\nhttps://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/\r\nPage 3 of 5\n\nRedLine execution and loading chain (HP)\r\nOutlook\r\nAlthough the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their\r\ncampaign. In fact, this is very likely already happening in the wild.\r\nWindows 11 is a major upgrade that many Windows 10 users cannot get from the official distribution channels due to\r\nhardware incompatibilities, something that malware operators see as an excellent opportunity for finding new victims.\r\nAs BleepingComputer reported in January, threat actors are also leveraging Windows' legitimate update clients to execute\r\nmalicious code on compromised Windows systems, so the tactics reported by HP are hardly surprising at this point.\r\nRemember, these dangerous sites are promoted via forum and social media posts or instant messages, so don’t trust anything\r\nbut the official Windows upgrade system alerts.\r\nhttps://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/\r\nhttps://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/"
	],
	"report_names": [
		"fake-windows-11-upgrade-installers-infect-you-with-redline-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434329,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0abf8f12385cebe718d67db29c0852dffd1d07d.pdf",
		"text": "https://archive.orkl.eu/d0abf8f12385cebe718d67db29c0852dffd1d07d.txt",
		"img": "https://archive.orkl.eu/d0abf8f12385cebe718d67db29c0852dffd1d07d.jpg"
	}
}