# Cloudilax

Fake Windows 11 Upgrade Installer Infects Devices With Info-Stealing Malware

Cybercriminals lure unsuspecting users with a fake Windows 11 upgrade that comes with malware that steals browser data and cryptocurrency wallets.

The campaign is currently active and relies on poisoning search results to push a website mimicking the promotional page for Microsoft’s Windows 11 to offer the information stealer.

Microsoft offers an upgrade tool for users to check if their devices support its latest operating system. One requirement is support for Trusted Platform Module (TPM) version 2.0, which is present on devices not older than four years.

The hackers prey on users that jump at installing Windows 11 without taking the time to learn that the operating system needs to meet certain specifications.

The website offering the fake Windows 11 features the official Microsoft logos, favicons, and an inviting “Download Now” button.

Suppose an unsuspecting visitor loads the malicious website via a direct connection. In that case, download is unavailable over TOR or VPN; they will get an ISO file that shelters the executable for a novel info-stealing malware.

According to CloudSEK, the hackers behind this campaign use a new malware that researchers named “Inno Stealer” because it uses the Inno Setup Windows installer.

According to the researchers, the Inno Stealer doesn’t have code similarities to other info-stealers currently in circulation. So far, there’s no evidence of the malware being uploaded to the Virus Total scanning platform.

The researchers also stated that the malware removes security solutions from ESET and Emsisoft, likely because these products detect it as malicious.

Targeted browsers and crypto wallets are extensive, including Chrome, Brave, Edge, Opera, Vivaldi, 360 Browser, and Comodo.

The network management and the data-stealing functions of Inno Stealer are multi-threaded. Therefore, all stolen data is copied via a PowerShell command to the user’s temporary directory, encrypted, and then later sent to the operator’s command and control server.

The stealer can also fetch additional payloads, an action that is only performed at night time, possibly to take advantage of a period when the victim is not at the computer.


The whole Windows 11 upgrade situation has created a fertile ground for the proliferation of these campaigns. Therefore, it is recommended that users avoid downloading ISO files from unknown sources and only perform major operating systems upgrades from within your Windows 10 control panel or, better still, get the installation files straight from the source.

Found this article interesting? click here to read more exclusive content we post.

Related blogs