Security researchers at Malwarebytes have found a fake Windows 11 24H2 update campaign that steals sensitive data from Windows PC users.

The attackers host a very convincing Microsoft‑style support page on a domain called “microsoft-update[.]support” and encourage visitors to download what they claim is a cumulative update for Windows 11 24H2. In reality, the download is an MSI installer named “WindowsUpdate 1.0.0.msi” that uses legitimate packaging tools and spoofed Microsoft metadata to look authentic.

When people run the installer, it sets up an Electron‑based app in the AppData folder and launches it via a script that uses Windows’ own cscript.exe tool. This chain then starts a renamed Python interpreter, loads a Python environment, and then loads additional modules that the malware uses to steal data.

Researchers say the malware grabs browser‑stored passwords, cookies, account sessions, and even Discord data, then sends this information to attacker‑controlled servers and file‑sharing services.

The fake updater runs on every reboot. It creates a Run key called “SecurityHealth” in the user’s registry that points to the installed WindowsUpdate.exe. It also adds a shortcut named “Spotify.lnk” in Startup that quietly opens the malware. It’s been reported that early samples showed zero detections in common scanning services.

Experts say users should only get Windows 11 24H2 updates from the Windows Update settings menu or official Microsoft domains. Anyone who installed this fake update should remove the listed files and registry entries, run a full malware scan, and change passwords for accounts that browsers stored on the affected PC.