HP’s Threat Research Team: ‘Beware of Fake Windows 11 Installer Website’

Cyber-threat actors are always looking for ways to scam citizens around the world and one way they do this is to lure socially engineer victims into infecting systems by downloading software from fake websites.

If your system is too old to run Windows 11, it’s best to get a new PC. Trying to circumvent the installation process and looking for unofficial installers could lead you to spoofed websites.

And that’s exactly what happened when HP’s Threat Research team found a domain that, at first glance, seems to be a legitimate Microsoft website. But the domain hides a dangerous secret.

HP Threat Research Team stated, “On 27 January 2022, the day after the final phase of the Windows 11 upgrade was announced, we noticed a malicious actor registered the  domain windows-upgraded[.]com, which they used to spread malware by tricking users into downloading and running a fake installer.”

“The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute “RedLine Stealer”, information stealing malware family that is widely advertised for sale within underground forums.”

Domain Name:

Creation Date: 2022-01-27T10:06:46Z


Registrant Organization: Ozil Verfig

Registrant State/Province: Moscow

Registrant Country: Russia

The attackers copied the design of the legitimate Windows 11 website, except clicking on the “Download Now” button downloads a suspicious zip archive called The file was hosted on Discord’s content delivery network.

“It collects various information about the current environment, such as the username, computer name, installed software and hardware information. The malware also steals stored passwords from web browsers, auto-complete data such as credit card information, and cryptocurrency files and wallets,” HP’s Threat Research stated.

The tactics, techniques and procedures (TTPs) in this RedLine Stealer campaign are similar to a campaign we analyzed in December 2021.

In that campaign, the malicious actor registered discrodappp[.]com, which they used to serve RedLine Stealer disguised as an installer for the popular messaging app.

In both campaigns, the threat actor used fake websites mimicking popular software to trick users into installing their malware, registered the domains using the same domain registrar, used the same DNS servers, and delivered the same family of malware.

Thankfully the spoofed site has been taken down. However, use exercise extreme caution going forward.

Related News:

Turn your back on Big Tech oligarchs and join the New Resistance NOW!  Facebook, Google, and other members of the Silicon Valley Axis of Evil are now doing everything they can to deliberately silence conservative content online, so please be sure to check out our MeWe page here, check us out at ProAmerica Only and follow us at Parler, Social Cross and Gab.  You can also follow us on Twitter at @co_firing_line, and at the new social media site set up by members of Team Trump, GETTR.

While you’re at it, be sure to check out our friends at Whatfinger News, the Internet’s conservative front-page founded by ex-military!And be sure to check out our friends at Trending Views:Trending Views



Fmr. Sgt, USAF Intelligence, NSA/DOD; Studied Cryptology at Community College of the Air Force

Related Articles

Our Privacy Policy has been updated to support the latest regulations.Click to learn more.×