A website designed to look like an official Microsoft support page is delivering malware instead of software patches, silently stealing passwords, browser data, and login cookies from Windows users who download its fake update installer. Cybersecurity firm Malwarebytes identified the campaign in April 2026 and warned that the spoofed page is convincing enough to fool even cautious users. A second firm, Sprocket Security, independently verified the threat, confirming that the same fake installer is distributing a credential-stealing payload.
How the attack works
The fraudulent site mimics the layout and branding of a legitimate Windows update page. When a visitor clicks the download button, they receive an installer that looks routine but actually deploys an infostealer, a category of malware built to harvest saved login credentials, autofill data, session cookies, and browser-stored passwords. Once running, the malware operates quietly in the background without triggering obvious system alerts.
That stolen data gives attackers direct access to email accounts, banking portals, cloud storage, and social media profiles, often without needing to bypass any additional security. According to Malwarebytes’ warning, the attackers have also disguised the malware as antivirus software, adding a second layer of deception that exploits users’ trust in security tools.
The malware transmits harvested credentials to remote servers controlled by the attackers. Because the infection produces no visible symptoms on the victim’s machine, compromised users may not realize anything is wrong until unauthorized logins appear on their accounts.
How victims are reaching the fake site
The exact distribution channels have not been fully mapped. Community reports on the AskWoody forum describe users encountering aggressive pop-up browser alerts that redirect them to the malicious page, a social engineering tactic designed to create urgency and bypass skepticism. Whether the campaign also relies on search engine ads, phishing emails, or compromised legitimate websites to funnel traffic remains unclear. Each method would imply a different level of sophistication and require different defensive responses from platform operators.
What is still unknown
Several important details remain unconfirmed. Microsoft has not issued a public statement about the spoofed domain, and it is not known whether the company’s security teams have flagged the site for removal through browser blocklists or domain registrars. No published infection count or geographic breakdown has accompanied the alerts from Malwarebytes or Sprocket Security, so the scale of the campaign is an open question.
The specific malware variant has not been publicly named in the reporting reviewed for this article. Infostealers are a broad family that includes well-known strains such as RedLine, Lumma, and Raccoon Stealer, each with different persistence mechanisms, command-and-control infrastructure, and removal procedures. Without a published technical teardown or malware sample hash, independent researchers cannot fully verify which strain is in play or assess its full capabilities. It is also unclear whether Microsoft Defender or other major endpoint protection tools currently detect this specific payload; none of the available reports address detection coverage by name.
No law enforcement agency has publicly acknowledged an investigation, and no victim impact reports with concrete financial losses have appeared in court filings or official advisories. Forbes flagged the threat in an April 2026 advisory column, and Digital Trends published a similar warning, but both relied on the same underlying Malwarebytes findings rather than introducing new primary data. The evidence base is credible but still thin on specifics.
What to do if you downloaded a suspicious update
If you recently installed a Windows update from any website other than the built-in Windows Update service or Microsoft’s official Update Catalog, treat your machine as potentially compromised. Run a full scan with a reputable anti-malware tool. Using a second scanner, such as a dedicated malware removal utility alongside your primary security suite, increases the odds of detection.
After scanning, change passwords immediately for email, banking, cloud storage, and any account that stores payment information. Enable two-factor authentication wherever it is available. Even if credentials have already been stolen, a second authentication step can block attackers from using them. Review your browser’s saved passwords and consider clearing them, particularly if they were stored without a master password. Check account activity logs for unfamiliar logins, and if you spot suspicious access, revoke all active sessions and follow the provider’s account recovery process.
How to avoid fake update traps
Legitimate Windows updates are delivered through the Settings app under Windows Update. Microsoft does not ask users to visit third-party support pages, click pop-up banners, or manually download patches from unfamiliar sites. Any webpage that claims your system is critically out of date and pushes an immediate download, especially after a pop-up redirect, should be closed without interaction.
Before downloading anything, check the address bar carefully. Look for subtle misspellings, extra characters, or unusual domain endings that differ from Microsoft’s official domains (microsoft.com, windows.com). Modern browsers offer built-in protections such as safe browsing lists and download scanning that can block known malicious sites and files. Make sure those features are enabled.
For organizations, short and focused user training on how fake update pages work, what real Windows Update prompts look like, and how to report suspicious activity can sharply reduce the success rate of campaigns like this one. Attackers constantly refine their lures, so the training needs to be repeated, not treated as a one-time exercise.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
