If a website tells you to manually install a “Windows update” from a big blue download button, close that tab immediately. Malwarebytes has just spotted a fake Microsoft support website (microsoft-update.support) that pretends to offer a cumulative update for Windows 24H2 but actually delivers password-stealing malware.
The entire page is dressed up to look official, and even uses proper KB-style reference and downloads an 83MB MSI file called Windowsupdate1.0.0.msi that looks quite legit even in the file properties.
What the malware actually does
The site is currently written in French, which suggests that the scam is currently targeting French-speaking users first. But Malwarebytes warns that these operations can spread quickly. The installer itself was built with the legitimate WiX Toolset, and its metadata is spoofed to make it look Microsoft-made. This helps it blend in both for users and for some basic security checks.
The MSI drops an Electron-based app into the user’s AppData folder, then launches additional components, including a disguised Python runtime. From there, the malware then pulls in tools and packages associated with data theft, like components used for encryption, process inspection, and deeper Windows access. The firm says the malicious code also targets Discord by modifying its files to intercept login tokens, payment details, and two-factor authentication changes.
Malwarebytes says it also fingerprints victims by checking IP and geolocation, contacts command-and-control infrastructure hosted through Render and Cloudflare Workers, and uploads stolen data through Gofile.
Why you should heed this warning
An unsettling detail uncovered in the report is that, at the time Malwarebytes analyzed it, the main executable and launcher showed zero detections across dozens of antivirus engines on VirusTotal. The company says that it is because the malware hides its logic inside obfuscated JavaScript, legitimate Electron components, and runtime-delivered Python tooling instead of one obviously malicious binary. So basically, do not fall for this fake Windows support site. It is not helping you patch your PC. It is trying to rob it.