The unofficial Windows 11 upgrade installs information-stealing malware

Recently, researchers have also discovered that hackers have used fake Windows 11 system upgrades to spread malware attacks with the goal of stealing users’ browser data and even cryptocurrency wallets.


Microsoft officials will provide users with an upgrade tool when providing Windows 11 upgrades to check whether their devices are eligible for upgrade. But hackers took advantage of some users’ laziness to confirm their device’s hardware information by concocting a seemingly official upgrade page and placing a “Download Now” button to induce users to take the bait without thinking.

Malicious website used in the campaign (windows11-upgrade11[.]com)

According to the analysis of CloudSEK’s threat researchers, this is a new type of malware known as “Inno Stealer” due to the use of the Inno Setup Windows installer. The researchers said Inno Stealer bore no resemblance to other information-stealing program code today, nor was the malware found uploaded to the Virus Total platform.

When the victim downloads, he gets an ISO file containing malware, Inno Stealer loads it through the “Windows 11 setup” executable included in the ISO, generates a new process using the CreateProcess Windows API, and implants 4 malicious scripts to remove registry security, bypass Defender protection, and uninstall related security software.

The functions of Inno Stealer, include the collection of web browser cookies and stored credentials, data in cryptocurrency wallets, and data in file systems. The researchers listed 35 web browsers and 39 cryptocurrency wallets that could be targeted.

35 browsers targeted by Inno Stealer

39 cryptocurrency wallets targeted by Inno Stealer

In addition, the researchers discovered an interesting feature of Inno Stealer: network management and data theft features are multi-threaded, with all the stolen data copied to the user’s temporary directory via PowerShell commands and encrypted, and then sent to a C2 server controlled by the hackers.

Malware that steals information by bog using Windows 11 upgrades has appeared many times recently, typically in February this year, when RedLine malware spread payloads through fake Windows 11 upgrade web pages to steal users’ sensitive data.