Threat actors have started using fake Windows 11 installers to lure users of the previous version of the operating system, Windows 10, who want to upgrade. In fact, victims receive RedLine malware on their computers, which steals their data. The RedLine malware steals passwords, cookies, and bank card data.

As researchers from HP found out, the attackers used the seemingly legitimate «windows-upgraded.com» domain in the campaign. This web resource looks like the official Microsoft website, which has the "Download Now" button. If the user clicks on this button, a 1.5 MB ZIP archive named "Windows11InstallationAssistant.zip" will be downloaded to the computer. When opened, the archive creates a directory of 753 MB of size. As soon as the user launches the executable file from this folder, the PowerShell process is automatically activated. In the final phase of infection, a DLL file is loaded, which is RedLine itself. Experts advise being extremely careful when downloading Windows 11 images or the corresponding upgrade.

Source: anti-malware.ru