Fake Windows update installs hidden malware

If you've ever clicked "Check for updates" and trusted what you saw, you're not alone. That's precisely what this latest scam is counting on.

The page mimics charismatic branding, includes a believable knowledge guidelines number and presents a large bluish download fastener that feels familiar.

The catch? The download installs malware designed to bargain passwords, costs specifications and relationship access.

According to researchers astatine Malwarebytes Labs, a cybersecurity investigation and threat intelligence squad wrong Malwarebytes, nan tract uses a typosquatted domain that looks adjacent capable to a existent Microsoft URL to fool a speedy glance. That mini instrumentality is often each it takes.

APPLE APP PASSWORD SCAM EMAIL WARNING
 

Cybersecurity researchers pass a clone Microsoft update tract uses a look-alike URL and a acquainted download fastener to present data-stealing malware. (Michael Nagle/Bloomberg via Getty Images)

Sign up for my FREE CyberGuy Report

• Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox.
• For simple, real-world ways to spot scams early and enactment protected, visit CyberGuy.com – trusted by millions who watch CyberGuy connected TV daily.
• Plus, you'll get instant entree to my Ultimate Scam Survival Guide free erstwhile you join. 

Why this clone Windows update malware slips past detection

At first glance, thing seems off. The record looks for illustration a modular Windows installer. It moreover lists "Microsoft" successful its properties. That's wherever this onslaught gets clever. Instead of utilizing evident malicious code, nan attackers built nan installer pinch morganatic devices and layered nan onslaught successful stages. Each portion looks harmless connected its own.

Here's what's happening down nan scenes:

• The installer launches what appears to beryllium a normal app
• That app softly runs hidden scripts
• A disguised process loads a afloat Python environment
• Data theft devices activate successful nan background

Because each measurement looks routine, galore security tools neglect to emblem it correct away. Researchers besides noted that antivirus engines initially showed zero detections for cardinal parts of nan attack. That does not mean nan record is safe. It intends nan malicious behaviour is good hidden.

What this clone Windows update malware is stealing

Once installed, nan malware gets to activity fast. It collects specifications astir nan infected device, including location and IP address. Then it reaches retired to distant servers to person instructions and upload stolen data.

The targets include:

• Saved browser passwords
• Login sessions and cookies
• Payment details
• Discord relationship tokens

It moreover tries to unopen down different processes connected your strategy to debar interference while it works. In immoderate cases, it modifies apps for illustration Discord to intercept relationship activity successful existent time.

How nan clone Windows update malware stays connected your system

This malware is designed to instrumentality around. It creates entries that look for illustration normal strategy processes, truthful they blend in. One registry introduction mimics Windows Security Health, which astir users would ignore. It besides drops a shortcut successful your startup files pinch a familiar sanction for illustration Spotify. That makes it easy to overlook. Two different persistence tricks mean it tin past a reboot and support running.

FAKE WINDOWS UPDATE PUSHES MALWARE IN NEW CLICKFIX ATTACK
 

A clone Windows update page is tricking users into downloading malware that steals passwords, costs specifications and relationship access. (Beata Zawrzel/NurPhoto)

Why this clone Windows update scam feels truthful real

There's a bigger inclination down this. Researchers opportunity campaigns for illustration this often target regions wherever ample information breaches person already exposed individual information. When attackers already cognize your name, supplier aliases habits, they tin build scams that consciousness tailored to you. That makes a clone Windows update page acold much believable than a generic phishing email.

It besides highlights thing important. Today's malware often hides wrong morganatic devices and trusted frameworks. That makes it harder to observe and easier to trust. This run shows really acold scammers person come. They are nary longer relying connected sloppy emails aliases evident clone links. Instead, they are building layered attacks that look and behave for illustration trusted software.

Even knowledgeable users tin get caught disconnected defender erstwhile everything appears normal. The biggest takeaway is simple. A cleanable scan consequence aliases a acquainted interface does not guarantee safety.

Microsoft says it's alert of nan threat

Microsoft confirmed it is search this type of activity and urges users to beryllium cautious erstwhile downloading updates from unfamiliar sources. 

"We are alert of reports of fraudulent websites impersonating Microsoft, and we actively activity to observe and disrupt malicious activity crossed nan internet," A Microsoft spokesperson told CyberGuy. "We promote customers to beryllium cautious of unexpected prompts aliases downloads and to verify that they are interacting pinch morganatic Microsoft domains. As a champion practice, we urge users verify nan legitimacy of a nexus by going straight to our website from your ain saved favorite, from a web search, aliases by typing nan domain sanction yourself."

For much guidance connected really to protect against online phishing scams, you tin mention to Microsoft's charismatic support page at support.microsoft.com.

MICROSOFT CROSSES PRIVACY LINE FEW EXPECTED
 

A convincing Windows update scam is spreading malware that tin drawback saved passwords, cookies, costs information and Discord tokens. (Todor Tsvetkov/Getty Images)

Ways to enactment safe from clone Windows update malware

You don't request to beryllium a information master to debar this. A fewer habits make a large difference.

1) Only update Windows from your settings

Go to Settings > Windows Update and cheque for updates there. Avoid downloading updates from websites. 

2) Double-check nan URL

Real Microsoft pages usage microsoft.com. Anything else, moreover if it looks close, should raise a reddish flag.

3) Be cautious pinch urgent update prompts

If a tract aliases connection pressures you to instal an update, extremity and verify it manually. 

4) Use beardown antivirus package pinch behaviour detection

Traditional antivirus software, which often comes built into your instrumentality aliases arsenic basal information software, chiefly looks for known threats utilizing signature matching, which intends it tin miss caller aliases well-hidden attacks for illustration this one. Strong antivirus package uses behaviour discovery to show what programs are doing successful existent time, helping emblem suspicious activity moreover if nan malware hasn't been seen before.  Get my picks for nan champion 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.

5) Use a information removal work to limit your exposure

If your individual accusation is already circulating online from past breaches, it tin make scams for illustration this much convincing. A information removal work helps trim really overmuch of your accusation is publically available, making it harder for attackers to target you pinch tailored phishing attempts. Check retired my apical picks for information removal services and get a free scan to find retired if your individual accusation is already retired connected nan web by visiting Cyberguy.com

6) Turn connected two-factor authentication

Two-factor authentication (2FA) adds a 2nd furniture of protection if your passwords are stolen.

7) Avoid downloading installer files from chartless sites

Legitimate updates seldom require manual downloads. 

Kurt's cardinal takeaways

Fake updates are 1 of nan astir effective tricks because they pat into thing we each trust. Keeping your strategy unafraid should not put you astatine risk, yet that's precisely what attackers are exploiting here. The safest move is to slow down, verify wherever updates travel from and instrumentality to built-in devices whenever possible.

Are tech companies doing capable to support clone updates from putting your information astatine risk? Let america cognize your thoughts successful nan comments below. Let america cognize by penning to america at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

• Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox.
• For simple, real-world ways to spot scams early and enactment protected, visit CyberGuy.com – trusted by millions who watch CyberGuy connected TV daily.
• Plus, you'll get instant entree to my Ultimate Scam Survival Guide free erstwhile you join.

Copyright 2026 CyberGuy.com. All authorities reserved.