Microsoft regularly pushes out updates, sometimes even upgrades, for its software in an effort to heighten their security and fix bugs. But it’s also usual, too, to see news about threat actors taking advantage of the huge Windows user base by rolling out updates that are actually malware in disguise.
We got wind of just such a malware attack targeting Windows 11 users. Disguised as updates, the malware connected to this threat put affected users at risk of saved browser data, computer file, and crypto wallet theft.1 Using one domain and one IP address identified as indicators of compromise (IoCs) as investigation jump-off points,2 we found:
- Close to 200 possibly connected domains
- Around 300 possibly connected subdomains
- 85% of the possibly connected domains and subdomains were not owned by Microsoft even if they contained the Windows brand name
- Windows 7 users were most at risk as 13% of the suspicious domains contained the string “windows7”
- Almost 200 possibly connected IP addresses, about a tenth of which were dubbed “malicious” by various malware engines
Download the threat research materials now to access a sampled list of identified artifacts used to conduct additional enrichment and threat analysis.
-  https://www.hackread.com/beware-fake-windows-11-update-delivering-malware/#:~:text=According%20to%20researchers%2C%20the%20fake,pretty%20convincing%20to%20unsuspecting%20users.
-  https://otx.alienvault.com/pulse/625fdfc069b64762bb5ea0ec