A fraudulent website designed to look like an official Microsoft download page is tricking users into installing malware disguised as a Windows 11 version 24H2 cumulative update. Once executed, the malicious installer quietly harvests stored passwords, browser session tokens, and saved payment card data, then sends everything to attacker-controlled servers. The campaign was flagged in late April 2026, with multiple technology outlets warning that the payload slips past several mainstream antivirus products long enough to complete its theft before any alert fires.
How the attack works
The campaign starts with a fake support page that closely mimics Microsoft’s layout, typography, and branding. Users searching for the 24H2 feature update through a search engine may encounter the page through manipulated search results or paid advertisements. The page presents what looks like a routine cumulative update download button, but the file it delivers is an infostealer, a class of malware built specifically to extract credentials and financial data from compromised machines. None of the available reporting names the specific malware family involved (such as Lumma Stealer or Raccoon Stealer), and no individual security researcher or research team has been publicly credited with the discovery.
Once the installer runs, it scans the system for stored login credentials across major browsers, including Chrome, Edge, and Firefox. It also targets browser session cookies, which allow an attacker to hijack active logins on banking portals, email services, and cloud platforms without needing the victim’s password at all. Payment card details saved in browser autofill databases are collected as well. The stolen data is packaged and exfiltrated to remote servers, often within minutes of execution.
What makes this campaign particularly dangerous is its reported ability to evade antivirus detection during the critical window when data theft occurs. Traditional endpoint protection depends heavily on signature matching and behavioral heuristics, and this payload appears to sidestep both, at least temporarily. Whether the evasion relies on code obfuscation, fileless execution, abuse of legitimate Windows system tools, or digitally signed binaries has not been publicly confirmed. The antivirus evasion claim is repeated across multiple news outlets but has not been attributed to a named researcher, security lab, or controlled test.
Victims typically see no obvious signs of compromise. The first indication is often a wave of unauthorized logins, password reset emails, or unfamiliar charges on payment accounts, sometimes days after the initial infection.
Why the disguise is effective
The fake site passes a casual visual inspection. It replicates the color scheme, navigation elements, and download button styling found on genuine Microsoft support pages. A user who reaches the page through a search query like “Windows 11 24H2 update download” may not think twice before clicking, especially if the URL contains plausible-looking keywords.
As PC Gamer reported, the imposter page presents the download as a standard cumulative update, the kind of routine patch that Windows users are conditioned to install promptly. That social engineering layer is critical: it exploits the trust users place in Microsoft branding and the habit of keeping systems up to date.
The attackers are also exploiting a real knowledge gap. Microsoft’s 24H2 feature update has generated significant search traffic since its rollout, with users looking for installation guides, troubleshooting tips, and manual download options. That volume of interest creates fertile ground for counterfeit download pages to surface alongside legitimate results.
What is still unknown
As of early May 2026, Microsoft has not issued a public security advisory addressing this specific campaign. It is unclear whether any of the reporting outlets attempted to contact Microsoft for comment before publishing. There is no confirmed malware family classification, no published indicators of compromise (such as file hashes, domain names, or command-and-control addresses) for defenders to reference, and no official mitigation guidance from the company whose brand is being impersonated. Microsoft may be investigating quietly or working with domain registrars and search platforms to take the site down, but nothing has been announced.
Independent antivirus lab results are also missing from the public record. The claim that the payload evades detection is consistent across multiple reports, but no vendor has published test data showing which products catch it and which do not. Without that data, users cannot know whether their specific security software would block the installer.
The description of browser session token theft found in the available reporting comes from the same small set of technology news outlets. No primary forensic analysis or vendor white paper has been published to confirm the technical details of how tokens are extracted and exfiltrated.
Infection scale remains unclear. No cybersecurity firm or government agency has released victim counts, geographic distribution, or confirmed financial losses tied to this campaign. The warnings published so far are preventive, describing how the attack works rather than documenting how many people have already been affected.
How to protect yourself
The single most important rule: never download Windows updates from a website. Legitimate cumulative updates for Windows 11 are delivered through the Settings app (Settings then Windows Update), the Windows Update service, or the official Microsoft Update Catalog. If a search result or advertisement offers a direct download of a Windows update file, treat it as suspicious regardless of how professional the page looks.
Anyone who recently downloaded a supposed 24H2 update from an unfamiliar website should take these steps immediately:
- Disconnect the machine from the internet to stop any ongoing data exfiltration.
- Run a full system scan with reputable security software, then follow up with an on-demand scanner from a different vendor for a second opinion. Tools like Malwarebytes or HitmanPro can catch threats that a primary antivirus misses.
- Change passwords for all critical accounts, starting with email, banking, and any service where payment data is stored. Use a password manager to generate unique replacements.
- Enable multi-factor authentication on every account that supports it. Even if an attacker has a stolen password, MFA adds a barrier they cannot easily bypass.
- Review recent account activity on banking, email, and cloud services for unfamiliar logins, device registrations, or transactions.
- Consider a clean reinstall or restoration from a known-good backup if any malware is detected. Infostealers can leave behind persistence mechanisms that survive partial cleanup.
What IT administrators should do now
Organizations face amplified risk because a single compromised employee workstation can expose corporate credentials, VPN tokens, and cloud service logins. Administrators should tighten software installation policies so that standard users cannot run unsigned executables. Restricting local administrator rights remains one of the most effective defenses against malware that requires elevated privileges to install.
Network monitoring tools that flag unusual outbound connections or sudden bursts of data transfer can help detect credential-stealing malware even when endpoint protection misses the initial infection. Blocking known malicious domains at the DNS or proxy level adds another layer of defense, though it requires up-to-date threat intelligence feeds.
User education matters here as much as technical controls. Employees should understand that operating system updates come through managed deployment tools or Windows Update, never from a browser download prompted by a search result. A short internal advisory referencing this specific campaign can reinforce that message while the threat is fresh.
Why unofficial Windows update downloads remain a persistent threat vector
This campaign follows a well-worn playbook: attackers wrap malware in the branding of a trusted vendor and ride the wave of legitimate user interest. The 24H2 update is just the latest lure. Until Microsoft or a major security vendor publishes detailed analysis and takedown confirmation, skepticism toward any Windows update that does not come through official channels is the strongest defense available.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
