Home / Industry

Don’t Hit That Update Button Just Yet, It Could Lead to Malware Infection

Executive Report

It is quite natural to get prompts from software manufacturers saying you need to update your installed apps every so often for better security or to fix bugs. But you should know, too, that threat actors often use program update notifications as malware distribution vehicles. Case in point, the fake Windows 11 update currently making the rounds that is actually a data stealer.

The malware in this case steals confidential information from affected users’ web browsers, including stored passwords; other files; and cryptocurrency wallets. We took a closer look at the threat and found:

  • Close to 200 possibly connected domains
  • Around 300 possibly connected subdomains
  • 85% of the possibly connected domains and subdomains were not owned by Microsoft even if they contained the Windows brand name
  • Windows 7 users were most at risk as 13% of the suspicious domains contained the string “windows7”
  • Almost 200 possibly connected IP addresses, about a tenth of which were dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Look at Possible Connections

Only a couple of web properties have been identified as indicators of compromise (IoCs) for this ongoing campaign, specifically the domain name windows11-upgrade11[.]com and IP address 185[.]215[.]113[.]73.

We believe in expanding IoC lists to enable organizations to secure their networks as best they can against all kinds of threats.

Using the string combination “windows11 + upgrade,” following the domain IoC’s format, a Domains & Subdomains Discovery analysis revealed four possibly connected domains and two subdomains. Widening the scope of our investigation, however, to include all Windows OS versions, we also gathered web properties with the string combination “windows + upgrade.” That search gave us an additional 162 domains and 298 subdomains, bringing the total to 166 possibly connected domains and 300 subdomains. You can see the list in the appendix.

As expected, a huge majority of the web properties, 110 or 85% to be exact, containing the Windows brand name were not Microsoft-owned based on the details on their WHOIS records.

We also looked at the Windows operating systems (OSs) most at risk and found that Windows 10 users may be most at risk, given that the OS posted the highest number of domains, followed by Windows 7 and Windows 8.

Some of the domains also targeted not just the users of Microsoft’s OSs but also commonly used applications, such as Windows Media Player. A majority of them, however, 56% to be exact, were less discriminatory in that they only contained the string “windows,” a means to widen the potential victim base.

To further expand our list of artifacts, we subjected the 466 web properties to DNS lookups, which provided 186 IP addresses to which the domains and subdomains resolved. You can see these IP addresses in the appendix as well.

While none of the domains and subdomains are considered harmful for now, threat actors could easily weaponize them to target Windows OS users with the same ruse they’re using for Windows 11.

Interestingly, however, 17 of the IP address resolutions were dubbed “malicious” by various malware engines according to malware checks via the Threat Intelligence Platform (TIP). These are:

  • 15[.]197[.]142[.]173
  • 3[.]33[.]152[.]147
  • 35[.]186[.]238[.]101
  • 99[.]81[.]40[.]78
  • 91[.]195[.]240[.]87
  • 81[.]17[.]18[.]197
  • 34[.]98[.]99[.]30
  • 45[.]88[.]202[.]115
  • 13[.]248[.]216[.]40
  • 54[.]209[.]32[.]212
  • 52[.]71[.]57[.]184
  • 91[.]250[.]81[.]8
  • 103[.]224[.]182[.]210
  • 208[.]91[.]197[.]46
  • 104[.]16[.]161[.]215
  • 192[.]0[.]78[.]13
  • 199[.]60[.]103[.]228

Steering clear of these malicious web properties and watching out for similar-looking ones (i.e., the possibly connected domains and subdomains) will afford your organization better security against fake OS updates.

If you wish to perform a similar investigation, please don’t hesitate to contact us on www.threatintelligenceplatform.com, we’re always on the lookout for potential research collaborations.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byVerisign


Sponsored byDNIB.com