top of page

Fake Windows 11 Upgrade Installs RedLine Malware

RedLine stealer malware is a serious threat that targets users of Windows 10 who are looking for an upgrade to Windows 11. The attackers use fake installers that claim to offer the new operating system, but instead download and execute RedLine stealer malware on the victim's machine.

This malware can steal various types of information from the infected device, such as passwords, cookies, credit card details, cryptocurrency wallets, and more. It can also collect information about the system, such as IP address, hardware, keyboard layout, and antivirus tools.

The attackers launched this campaign shortly after Microsoft announced the broad deployment phase of Windows 11, taking advantage of the high demand and curiosity of users. RedLine stealer malware is one of the most popular and dangerous info stealers in 2023, and users should be careful when downloading any software from untrusted sources.

The Threat Activity

A malicious campaign that pretended to offer Windows 11 upgrades was recently discovered by HP researchers. The attackers used a fake Microsoft website with the domain “” to trick users into downloading malware. The website looked authentic and had a ‘Download Now’ button that led to a 1.5 MB ZIP file named “,” hosted on a Discord CDN.

fake windows website, get Windows 11, Download Now button

Fake website used for malware distribution (HP)

When the file decompresses it results in a folder that was compressed using an impressive 99.8% compression ratio—accomplished thanks to the use of padding in the executable file.

The executable launches a PowerShell process and this results in a cmd.exe process launching with a timeout of 21 seconds. After 21 seconds—a delay likely intended to avoid detection by behavioral monitoring software a .jpg file is fetched from a remote web server.

The .jpg file contains a DLL with contents arranged in reverse form, also apparently designed to evade detection and analysis.

The first process that runs then loads the DLL and replaces the current processes thread context with it. The DLL is one of the RedLine data stealer payloads that connects to the command-and-control (C&C) server via the TCP protocol to get instructions on what the threat actors want it to do next.

Malware installer process for Fake Windows 11

RedLine execution and loading chain (HP)

Into the Future

The threat of malware disguised as Windows 11 updates is real and growing. Many Windows 10 users who cannot upgrade to Windows 11 through official channels are tempted by fake installers that promise to bypass hardware requirements, but instead deliver malicious payloads. These payloads can range from adware and spyware to ransomware and remote access trojans, as reported by HP and other sources.

To avoid falling victim to these scams, users should only trust the official Windows upgrade system alerts and use Windows security features such as Microsoft Defender Antivirus, Microsoft Defender SmartScreen, and Microsoft Firewall. Additionally, users should enable multifactor authentication and use Windows Hello to protect their identity and data from phishing and other network attacks.

7 views0 comments


bottom of page