If a website asks you to manually install a “Windows Update” via a large blue download button, close that tab immediately. Malwarebytes has just discovered a fake Microsoft support website (microsoft-update.support) that claims to offer a cumulative update for Windows 24H2, but in reality provides password-stealing malware.
The entire page is designed to look official, even using a proper KB-style reference and downloading an 83MB MSI file called Windowsupdate1.0.0.msi, which looks quite legitimate even in the file properties.
What the malware actually does
The website is currently written in French, which suggests that the scam is currently targeting French-speaking users first. However, Malwarebytes warns that these operations can spread quickly. The installer itself was created using the legitimate WiX toolset and its metadata is faked to make it appear that it was created by Microsoft. This makes integration easier for both users and some basic security checks.
The MSI drops an Electron-based app into the user’s AppData folder and then launches additional components, including a stealth Python runtime environment. From there, the malware then pulls in tools and packages associated with data theft, such as components used for encryption, process auditing, and deeper Windows access. The company says the malicious code also targets Discord by modifying its files to intercept login tokens, payment details and two-factor authentication changes.
Malwarebytes says it also collects victims’ fingerprints by checking IP and geolocation, contacting command-and-control infrastructure hosted via Render and Cloudflare Workers, and uploading stolen data via Gofile.
Why you should heed this warning
A disturbing detail uncovered in the report is that at the time of Malwarebytes’ analysis, the main executable and launcher had no detections across dozens of antivirus engines on VirusTotal. The company says this is because the malware hides its logic in obfuscated JavaScript, legitimate Electron components, and runtime-provided Python tools, rather than an obviously malicious binary. So basically, don’t fall for this fake Windows support page. It won’t help you to patch your PC. It’s trying to rob it.
