An 83 megabyte package, the Microsoft icon, a plausible KB article number. All fake. Behind what seems like a normal cumulative update for Windows 11 lies an infostealer (malicious spy software whose main role is to steal personal and sensitive information from the victim’s device) capable of emptying the browser of saved credentials, including banking data, and transmitting them to an anonymous server before the user notices anything.
The campaign was discovered by cybersecurity company Malwarebyteswhich on April 9, 2026 published a detailed technical analysis authored by researcher Stefan Dasic.
The scam site and the MSI file
The starting point is a domain registered via typosquatting: microsoft-update(.)supporta string that at first glance might seem authentic. The site, entirely in French, features a Windows update page complete with a blue download button.
What you download is WindowsUpdate 1.0.0.msian installation file built with WiX Toolset 4.0.0.5512, a legitimate open source framework also used by professional developers. In the “Author” field “Microsoft” appears, in the “Comments” field the correct wording for a system update. Generated on April 4, 2026, four days before Malwarebytes spotted it.
How malware works
The architecture of malware is layered, and it is this structure that makes it difficult to intercept. Once the MSI file is executed, three main components are installed: an Electron application — the same technology behind Visual Studio Code or Slack — which acts as an external shell; a Visual Basic Script launcher named AppLauncher.vbs; and, in depth, a rebranded Python 3.10 interpreter _winhost.exe to look like a system process.
It’s the Python layer that does the dirty work. It loads a number of libraries that specialize in data theft — including pycryptodome to encrypt the loot e pywin32 to interact with Windows APIs — and starts collecting credentials, session cookies, payment data and authentication tokens saved in the browser. Everything is then transmitted to an anonymous file sharing service: gofile(.)io.
The actual malicious code is hidden inside two heavily obfuscated JavaScript files, embedded in the Electron application. At the time of analysis, none of the 69 antiviruses tested on VirusTotal reported the main executable file as malicious.
Survives reboot, masquerades as Spotify
The malware implements two separate persistence mechanisms. The first writes a registry key called SecurityHealth — name that imitates the Windows Defender service — which points to the executable of the fake update. The second creates a named shortcut in the startup folder Spotify.lnka name common enough not to arouse suspicion even among IT personnel.
Because the target is France
The choice of French-speaking users is not random. Over the past two years, France has suffered some of the most serious data breaches in Europe: Free, the country’s second largest internet operator, confirmed in October 2024 unauthorized access to data on around 19 million contracts, including bank details. France Travail, the public employment service, suffered an attack in 2024 that exposed the data of 43 million people. In this context, building a phishing page localized in French has a marginal cost for those who already have the names, addresses and ISPs of the victims.
How to protect yourself
Windows updates are downloaded exclusively through Settings > Windows Update or from the Microsoft Update Catalog. Any external site that offers an update file is to be considered suspicious, regardless of how convincing the graphic appearance is.
Anyone who suspects they have installed the fake update should: Search the registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun a named entry SecurityHealth which points to WindowsUpdate.exe in the AppData folder; check for the presence of a file Spotify.lnk in the startup folder; change all passwords saved in the browser; enable two-factor authentication on email and bank accounts.
Source: malwarebytes.com
