blog image

This fake Windows 11 upgrade steals your credentials

Hackers seek to trick users with a fake Windows 11 upgrade whose goal is to install malware on your computer that will steal credentials stored in your browser and any cryptocurrency wallet.

Currently, the campaign is active and relies on poisoning internet search results to promote a website that is a copy of the official promotion page for Windows 11, like the one found on the Microsoft website. Except that in this case, the user is downloading malware and not a Windows 11 upgrade utility.

As seen in the image below, the “windows11-upgrade11[.]com” site uses the same layout, logos, etc… as the Microsoft site. The user downloads a malicious ISO file by clicking on the “Download now” button.

How Inno Stealer malware works

Security researchers at CloudSEK have analyzed the malware hiding in this malicious ISO image. First of all, it now has a name: Inno Stealer, in reference to Inno Setup Windows Installer. In terms of its code, it has no similarity with other malware of the same kind. The malware is set up on the PC thanks to the “Windows 11 setup” executable file, and it will quickly become persistent by creating a shortcut in the “Startup” folder of the machine.

More specifically, the malware will perform several actions on the machine:

  • Disable Windows Registry Security
  • Add exceptions in Windows Defender
  • Delete Shadow Copies
  • Uninstall security products, including Emsisosft and ESET, as these products can detect it

A process called “Windows11InstallationAssistant.scr” runs on the machine to start stealing information saved in browsers, particularly in Chrome, Edge, Brave, Opera, or even Vivaldi. Furthermore, it will steal your possible cryptocurrency wallet since it checks different locations on the system.

The data collected by the malware is exfiltrated to the “” server, and it is worth pointing out that the malware relies on a multi-threaded process to be more efficient. Finally, this new malware seems effective and remarkably successful.

Leave a Reply

Your email address will not be published.