By Dervish / Last update February 11, 2022

Since Windows 11 was first released in June 2021, there have been many campaigns designed to trick people into downloading fake and malicious Windows 11 installers. While the activity seemed to be on hold for a while, it appears to be back, and this time, it could be deadlier.

That's because Windows 11 wasn't available to the public at the time, but only to closed beta testers, who were generally more tech-savvy and more conscious. However, the fact that Windows 11 is already available to the public and plans to accelerate its rollout makes the situation even more nuanced.


The new malware campaign was discovered by the HP Threat Research team after they noticed a new fake website that looked like a Microsoft website but was actually distributing files containing RedLine malware.


Recently, the HP Threat Research team discovered one of these fake Windows 11 upgrade sites, where malicious actors registered the "windows-upgraded" domain name on January 27, 2022, in a deceptive style similar to Microsoft's official website.


When someone clicks the "Download Now" button, a 1.5 MB zip file called "" is downloaded. However, the HP research team was impressed that only the 1.5 MB file was decompressed into a 753 MB folder, a compression ratio of 99.8%.

After reverse engineering the contents of the package, HP discovered that the Windows 11 installer delivered a payload of RedLine stealing malware, which, as the name suggests, is capable of stealing sensitive information such as passwords and other credentials.


Once the user runs the file, it gets an included DLL from the server. jpg malicious files, presumably to evade detection and analysis, then connect to a command and control server via TCP, allowing the infected system to run malicious commands.


The malicious program was able to steal sensitive information, such as airline miles, online banking credentials and other digital assets, and sell it on the dark web.


Since Windows 11 has raised the upgrade threshold, many users have searched for installation methods on the Internet in order to try them out. The malware targets such users. Don't be deceived by these fake Windows 11 upgrade sites and protect your personal data.