Malware in the form of Windows 11 upgrade tool


Hackers use malicious Windows 11 upgrade software to infect users

Browse digital currencies and wallets. Microsoft has provided an upgrade tool for its users to check their system with this tool to see if it can be installed.

Windows 11 is available to them or not. One of the requirements of the system is the Trusted Platform Module (TPM) version 2.0. Hackers put fake site addresses in search results and users who do not research and check reputable sites,

                          Aiming to install Windows 11.Fake site with a look like a Microsoft site

                               Windows 11-upgrade 11 [.] com Fake site with address

By visiting this site and clicking on Download Now, users will receive an ISO file containing malware.

The download process will not run if a VPN or TOR is used.Infection process

According to CloudSEK, the threat actors behind the campaign are using new malware that researchers have. Using the Inno Setup Windows installer was called "Inno Stealer".To be honest, no code similarities were found with other examples of data theft programs currently in use, and no evidence of malware uploading was found on the Total Virus scanning platform.

In the first step, the loader file written in Delphi language is called Windows 11 setup inside the ISO, which by executing it creates a temporary file called is-PN131.tmp and another .TMP file that the loader writes 3,078 KB of data. The loader also uses Create Process to create new processes that help the Persist, create new processes, and extract 4 more files.

The Persist process is performed by adding the .LNK shortcut file to the Startup folder and specifying access permissions using icacls.exe.Two of the four extracted files are Windows Command Scripts to disable security

Registry, add exceptions to Defender, delete security products and remove shadow volume.

According to the researchers, the malware removes the security products of Emsisoft and ESET, probably because these products detect it as malicious.

The third file is a command execution tool that runs with the highest system scores. And the fourth file is the VBA script to run dfl.cmd.

In the second stage of infection, a file with the extension .SCR is placed in the following path:


This file is used to unpack and execute the main program upload by creating a process called

Windows11InstallationAssistant.scr is done.

Malware capabilities

Malware capabilities are the same as malware in its category, such as browser data theft, cookie theft, wallet information theft, digital passwords and clipboard theft, etc.

The following are the browsers and wallets targeted in this campaign:

The target wallets of this campaign

One of the interesting features of Inno Stealer is that it has multi-threaded network management and data theft functions.All data stolen through PowerShell is copied and encrypted into the user's temporary directory and then sent to C&C ("")

The process of communicating with the C2 server

These Delphi-based uploads, which are sent as TXT files, use the same INNO loader mechanism.

Security solution. The Windows 11 upgrade process has paved the way for the spread of malware campaigns, and this is not the first time this has been reported.

 It is recommended to avoid downloading ISO files from obscure sources and only do the main operating system upgrades from within your Windows 10 control panel or download the installation files directly from the source.

If an upgrade to Windows 11 is not available to you, trying to circumvent the restrictions manually is useless, as this will come with a host of downsides and serious security risks.

Share this

Related Posts

Next Post »