Beware! Fake Windows 11 Upgrade Installers Could Infect Your PC With RedLine Stealer Malware


– Threat actors are spreading malware in the name of genuine Windows upgrade

– A genuine-looking website is used as a platform to distribute the malware

– The downloaded file size is merely 1.5 MB

– Threats actors are distributing RedLine Stealer malware

– The motive of the threat actors is stealing personal information of the victims such as credit card details, cryptocurrency wallet details, passwords, browser cookies, etc

Hackers have recently launched a campaign where they have utilized a genuine-looking website that drives a user to download malware in the name of Windows 11 upgrade. 

How Fake Windows 11 Upgrade Installers Could Infect Your PC

An Overview

Windows 11 has reached its broad deployment phase. This means that if your PC is Windows 11 ready, the Windows 11 21H2 will be offered to you. 

Several users are eagerly waiting to upgrade their Windows PC from Windows 10 to Windows 11 and hackers have probably sniffed this need. As such recently they had launched a full-fledged campaign to distribute the malware named RedLine stealer. 

In this post, we’ll delve a little deeper into what happened and what is its status now. Even more importantly, we’ll discuss some ways you can prevent yourself from being a victim.

1. Modus Operandi

As per the researchers at HP threat actors used a legitimate-looking website, a fake Microsoft domain – to distribute the malware. It has a big blue-colored Download Now button which entices a user to Get Windows 11

Windows 11 Upgrade Installers
Source: threatresearch.ext.hp

2. What Happened When A User Clicked On The “Download Now” Button?

Once a user clicked on the Download Now button, a zipped file weighing 1.5 MB was received. The zipped file was named This file had an astonishing compressing ratio of nearly 99.8%. This meant that when the file was decompressed, a folder of 753 MB was received.

Once a user launched the executable in the folder, a PowerShell process with an encoded argument was initiated. What followed next, was a cmd.exe that had a timeout of 21 seconds. Once this timeout expired a .jpg file was fetched from a web server located remotely. This .jpg file disguised a DLL file whose contents were arranged in a reverse order which further made the detection and analysis hard. 

Eventually, the RedLine Stealer malware was installed on the compromised PC.

3. What Was Or Rather Is The RedLine Malware Capable Of Stealing?

This malware is infamous for stealing details like passwords, usernames, credit card numbers, cryptocurrency details, and other user data.

4. Why Windows Users Should Be Even More Careful? And, What Should You Do?

As of now, this distribution website is down. But, that doesn’t mean that attackers are going to stop. They are probably initiating another campaign in the wild. 

Just as their need of the hour is to feed on the urgency of users to jump from Windows 10 to Windows 11, our’s should be outrightly thwart such campaigns, and in the wake of that, here are some points – 

1. Never Ever Turn Off Your Antivirus

An Antivirus program is capable of tracking malware in real-time. This means it would track and remove the malware before the threat extends itself to other files on your system. An Antivirus like Systweak Antivirus also has a web protection module that warns you as soon as you visit a suspicious website. 

Windows 11 Upgrade Installers

Apart from that the Systweak Antivirus also offers you multiple scanning modes, offers real-time protection against threats that may exploit vulnerabilities on your computer, and is lightweight on your system’s resources. Here’s a comprehensive inside-out review of Systweak Antivirus.

Here’s How You Can Use Systweak Antivirus – 

2. Beware of Websites Posing As Popular Domains

You may have received the URL of the aforementioned sketchy and fake Microsoft Windows 11 Upgrade Installer domain from a text on one of the social media platforms. 

This is where you need to execute your Wisdom and not fall prey to the executable file that could trap you into downloading the RedLine Stealer malware. We urge you to not click on any such suspicious links and download the upgrade via the updates that Microsoft rolls out or via the Microsoft website. 

Keep Your Eyes and Ears Open!

Like we said, even though the fake Windows 11 upgrade installer is down, to expect that the RedLine Stealer malware has gone would be a grave mistake. We must practice utmost caution when fetching upgrades. What’s your take on this? Do let us know in the comments section below. For more such news and tech-related content, keep reading WeTheGeek.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe Now & Never Miss The Latest Tech Updates!

Enter your e-mail address and click the Subscribe button to receive great content and coupon codes for amazing discounts.

Don't Miss Out. Complete the subscription Now.