Experts Warn Fake Windows 11 Installer Is Using Malware To Steal Info

If you're planning on updating your PC, make sure you only follow official methods, as there appears to be new malware in the wild that pretends to be a Windows 11 installer when you download it. Once opened, it infects your computer with malware known as the RedLine Stealer, which harvests data like credit card information, passwords, and even the details needed for cryptocurrency wallets.

HP's threat research team shared a report detailing the security risk on February 8, 2022. While evaluating the issue, the company's experts discovered the malicious file was being distributed through a website that looked eerily similar to Microsoft's official Windows 11 page. When users pressed the download button on the website, a file hosted on Discord's file-sharing system would be saved to their PCs. Discord itself, like any application that hosts user-generated content, has been a haven for malware and bad actors looking to get their malicious software installed on as many devices as possible.

RedLine Stealer malware can steal sensitive info

HP explains that its research team first noticed the registration of a domain at windows-upgraded[dot]com just a day after the final phase of Windows 11's upgrade was announced. For the record, we do not recommend visiting the website as it could put your system at risk.

The registration led the experts to a website built around the spread of malicious malware that tricked users into running a fake Windows 11 installer. When clicked, the website downloaded a zip file called "" onto the user's computer. The file, HP says, is only 1.5MB when compressed; it contains six Windows DLL files, a portable executable file, and an XML file. There's a lot of technicality to how the system works, but essentially, once the executable is activated, it downloads and installs the RedLine Stealer payload onto the user's PC.

This payload is capable of grabbing any information about software and hardware on the current system. It also copies any stored passwords from browsers, as well as auto-complete data from things like credit or debit cards. As such, it's one of the most dangerous types of malware you can run into.

HP's research team also reports there was a similar campaign run back in December 2021. However, that campaign used a spoofed Discord website that installed similar files and the same style of malware. In light of these risks, it's important to make sure you only utilize official download sources for any new software that you add to your PC.