Skip to main content

Watch out for fake Windows 11 downloads that spread malware

Windows 11 Se Winver 2022 Surface Laptop Se
Windows 11 Se Winver 2022 Surface Laptop Se (Image credit: Windows Central)

Windows 11 Update Windowsupdate Estimate New Light

Source: Daniel Rubino / Windows Central (Image credit: Source: Daniel Rubino / Windows Central)

What you need to know

  • A fake Windows 11 update page was used by attackers to infiltrate PCs.
  • The attack used a fake Windows 11 website that directed people to download malware.
  • A similar campaign ran in December 2021, though that attack used a fake Discord website.

Threat actors took advantage of people looking to upgrade to Windows 11 earlier this year. Microsoft's new operating system entered its last phase of availability on January 26, 2022. Attackers quickly jumped to action, initiating a malware campaign the next day that utilized a fake website impersonating a page to download Windows 11.

HP outlines its discovery of the attack on its Threat Research Blog (opens in new tab). HP's team noticed that a malicious actor registered the "windows-upgraded[.]com" domain on January 27, 2022. The page had been designed to appear like an official Microsoft website to download Windows 11. Instead, it directed people to a link that downloaded RedLine Stealer, which is a type of malware that steals information.

The Threat Research Blog post breaks down the malware campaign in more technical detail. The key takeaway is that malicious actors hopped on a trending news story to try to take advantage of everyday PC users. Since Microsoft had just entered the final phase of rolling out Windows 11, many people were looking for a way to update.

Source: HP (Image credit: Source: HP)

The fake website was rather convincing. It uses Microsoft's iconography and general site layout.

If you need help getting Microsoft's newest OS, you can follow our guide on how to upgrade to Windows 11.

A similar campaign was discovered in December 2021. That attack used fake versions of Discord's website and sites from other popular messaging services. That campaign also distributed RedLine Stealer.

Sean Endicott
News Writer and apps editor

Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at

1 Comment
  • You should never get windows updates from anything but the built in updater.