[{"data":1,"prerenderedAt":140},["ShallowReactive",2],{"article-slug-fake-microsoft-support-site-targets-french-users-with-infostealer":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":15,"entities":16,"cves":30,"sources":31,"events":42,"mitre_techniques":46,"mitre_mitigations":63,"d3fend_countermeasures":99,"iocs":106,"cyber_observables":115,"tags":127,"extract_datetime":130,"article_type":131,"impact_scope":132,"pub_date":35,"reading_time_minutes":139,"createdAt":130,"updatedAt":130},"7c6ea256-ebff-431d-91cc-872bcf553eff","fake-microsoft-support-site-targets-french-users-with-infostealer","Fake Windows Update Site Tricks French-Speaking Users into Installing Infostealer","Convincing Fake Microsoft Support Site Distributes Infostealer to French Users via Malvertising","A malvertising campaign is directing French-speaking users to a highly convincing but fake Microsoft support website hosted on a typosquatted domain. The site, designed to mimic an official Windows update page, tricks users into downloading what they believe is a cumulative update for Windows. The downloaded file is actually a Windows Installer package that deploys a potent information-stealing malware. Researchers at Malwarebytes, who discovered the campaign, suggest it may be leveraging recent large-scale data breaches in France to enhance the believability of related scams.","## Executive Summary\n\nResearchers at **[Malwarebytes](https://www.malwarebytes.com)** have uncovered a malvertising campaign specifically targeting French-speaking Windows users with a sophisticated infostealer. The campaign uses a typosquatted domain, `microsoft-update[.]support`, to host a meticulously crafted fake **[Microsoft](https://www.microsoft.com)** support page. The page lures visitors into downloading a supposed cumulative update for Windows version 24H2. The download is an 83 MB Windows Installer package (`.msi`) that has been spoofed to appear legitimate but instead installs malware designed to harvest passwords, payment card details, and other sensitive credentials from the victim's machine.\n\n---\n\n## Threat Overview\n\nThis campaign combines several effective techniques to achieve its goal of malware distribution.\n1.  **Malvertising:** The attackers place malicious ads on legitimate websites to drive traffic to their fake support page.\n2.  **Typosquatting & Impersonation:** The domain `microsoft-update[.]support` is chosen to sound official, and the website itself is a pixel-perfect copy of a real Microsoft page, complete with a plausible KB article number. This builds a false sense of trust.\n3.  **Social Engineering:** The site uses a clear call to action—a large blue 'Download' button—to trick users into initiating the download, preying on their desire to keep their systems secure and updated.\n4.  **Trojanized Installer:** The downloaded file, `WindowsUpdate 1.0.0.msi`, is a trojan. It uses the legitimate WiX Toolset installer framework to package the malware, a technique that can help bypass simple signature-based antivirus. The file's properties are also spoofed to list 'Microsoft' as the author.\n5.  **Payload:** The final payload is an infostealer that steals a wide array of credentials.\n\nResearchers speculate that the specific targeting of French users may be an attempt to capitalize on recent major data breaches in France, as victims of those breaches might be more susceptible to related scams.\n\n## Technical Analysis\n\n- **Initial Access:** The campaign uses malvertising to direct users to the malicious site, a form of [`T1566.002 - Phishing: Spearphishing Link`](https://attack.mitre.org/techniques/T1566/002/).\n- **Execution:** The user is tricked into downloading and executing the malicious `.msi` file, which falls under [`T1204.002 - User Execution: Malicious File`](https://attack.mitre.org/techniques/T1204/002/).\n- **Defense Evasion:** Using the legitimate WiX Toolset and spoofing file properties are tactics to evade detection and appear legitimate, aligning with [`T1027 - Obfuscated Files or Information`](https://attack.mitre.org/techniques/T1027/).\n- **Credential Access:** The core function of the payload is to steal credentials from various sources on the machine, such as browsers and email clients, which corresponds to [`T1555 - Credentials from Password Stores`](https://attack.mitre.org/techniques/T1555/).\n\n## Impact Assessment\n\nA successful infection results in the comprehensive theft of a user's personal and financial information.\n- **Financial Theft:** Stolen payment card details can be used for fraudulent purchases.\n- **Account Takeover:** Stolen passwords for email, social media, and banking sites can lead to account takeovers, further fraud, and identity theft.\n- **Corporate Compromise:** If the infected machine is used for work, the stolen credentials could include VPN, RDP, or corporate web portal logins, providing the attacker with an initial foothold into a corporate network.\n\n## IOCs\n\n| Type | Value | Description |\n|---|---|---|\n| domain | `microsoft-update[.]support` | The malicious typosquatted domain. |\n| file_name | `WindowsUpdate 1.0.0.msi` | The malicious installer file. |\n| file_hash_sha256 | (Not provided) | Hash of the malicious MSI file. |\n\n## Detection & Response\n\n1.  **Network Filtering:** Block access to the known malicious domain `microsoft-update[.]support` at the network perimeter (firewall, web proxy).\n2.  **Endpoint Detection:** EDR/EPP solutions should be able to detect and block the execution of the malicious `.msi` file based on its hash or behavioral analysis. Monitor for processes created by `msiexec.exe` that exhibit suspicious behavior, such as making network connections or dropping files in temp directories.\n3.  **User Reporting:** Encourage users to report suspicious websites or unexpected software update prompts.\n\n**D3FEND Reference:** Detection would involve [`D3-UA - URL Analysis`](https://d3fend.mitre.org/technique/d3f:URLAnalysis) at the web proxy to block the malicious domain, and [`D3-FH - File Hashing`](https://d3fend.mitre.org/technique/d3f:FileHashing) on the endpoint to block the known malicious installer.\n\n## Mitigation\n\n- **User Education:** Train users to never download software updates from third-party websites. Windows updates should only ever be installed via the official Windows Update feature in the OS settings or through managed enterprise tools like WSUS or SCCM.\n- **Browser Protection:** Use web browsers with robust protection against malicious websites and downloads.\n- **Application Control:** In a corporate environment, use application control to prevent users from installing unauthorized software. Standard users should not have the administrative rights required to install most `.msi` packages system-wide.\n\n**D3FEND Reference:** The most effective mitigation is preventing the malicious file from running, which can be achieved through [`D3-EAL - Executable Allowlisting`](https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting) or user training.","🇫🇷 French-speaking users targeted by a convincing fake Microsoft support site distributing infostealer malware disguised as a Windows update. The campaign uses malvertising and a typosquatted domain. #Malware #Phishing #InfoStealer #Microsoft","A fake Microsoft support website targeting French speakers is using malvertising to trick users into downloading a trojanized Windows update that installs password-stealing malware.",[13,14],"Malware","Phishing","high",[17,21,24,27],{"name":18,"type":19,"url":20},"Microsoft","vendor","https://www.microsoft.com/",{"name":22,"type":19,"url":23},"Malwarebytes","https://www.malwarebytes.com/",{"name":25,"type":26},"WiX Toolset","product",{"name":28,"type":29},"Infostealer","malware",[],[32,37],{"url":33,"title":34,"date":35,"friendly_name":22,"website":36},"https://www.malwarebytes.com/blog/threat-intelligence/2026/04/this-fake-windows-support-website-delivers-password-stealing-malware","This fake Windows support website delivers password-stealing malware","2026-04-09","malwarebytes.com",{"url":38,"title":39,"date":35,"friendly_name":40,"website":41},"https://www.pcrisk.fr/actualites-et-articles-sur-la-securite-informatique/15324-fausse-mise-a-jour-de-windows-diffuse-un-voleur-d-informations","A fake Windows update is spreading an information stealer","PCRisk","pcrisk.fr",[43],{"datetime":44,"summary":45},"2026-04-04T00:00:00Z","The malicious Windows Installer package was created, according to its file properties.",[47,51,55,59],{"id":48,"name":49,"tactic":50},"T1204.002","User Execution: Malicious File","Execution",{"id":52,"name":53,"tactic":54},"T1555","Credentials from Password Stores","Credential Access",{"id":56,"name":57,"tactic":58},"T1027","Obfuscated Files or Information","Defense Evasion",{"id":60,"name":61,"tactic":62},"T1566.002","Phishing: Spearphishing Link","Initial Access",[64,69,78],{"id":65,"name":66,"description":67,"domain":68},"M1017","User Training","Educate users to only download software updates from official, built-in OS mechanisms and never from third-party websites.","enterprise",{"id":70,"name":71,"d3fend_techniques":72,"description":77,"domain":68},"M1037","Filter Network Traffic",[73],{"id":74,"name":75,"url":76},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Use web filters and DNS filtering to block access to known malicious and typosquatted domains.",{"id":79,"name":80,"d3fend_techniques":81,"description":98,"domain":68},"M1038","Execution Prevention",[82,86,90,94],{"id":83,"name":84,"url":85},"D3-DLIC","Driver Load Integrity Checking","https://d3fend.mitre.org/technique/d3f:DriverLoadIntegrityChecking",{"id":87,"name":88,"url":89},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting",{"id":91,"name":92,"url":93},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting",{"id":95,"name":96,"url":97},"D3-PSEP","Process Segment Execution Prevention","https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention","Use application control policies to prevent users from installing unauthorized software.",[100],{"technique_id":101,"technique_name":102,"url":103,"recommendation":104,"mitre_mitigation_id":105},"D3-DNSDL","DNS Denylisting","https://d3fend.mitre.org/technique/d3f:DNSDenylisting","The fake Microsoft update campaign relies on directing users to a malicious typosquatted domain. A primary and highly effective countermeasure is DNS Denylisting, also known as DNS filtering. By subscribing to reputable threat intelligence feeds, an organization's DNS resolver or web proxy can be configured to block any attempt to resolve the malicious domain `microsoft-update[.]support`. When a user clicks on the malvertisement and their browser tries to navigate to the site, the DNS request is blocked, and the user never reaches the fake page. This prevents the social engineering attack and the malware download from ever occurring. This technique is highly scalable and provides a strong first line of defense against a wide range of web-based threats.","M1021",[107,111],{"type":108,"value":109,"description":110},"domain","microsoft-update[.]support","Malicious typosquatted domain hosting the fake update page.",{"type":112,"value":113,"description":114},"file_name","WindowsUpdate 1.0.0.msi","The malicious Windows Installer package.",[116,122],{"type":117,"value":118,"description":119,"context":120,"confidence":121},"process_name","msiexec.exe","The Windows Installer process. Monitor for this process being launched by a browser and subsequently spawning suspicious child processes or making network connections.","EDR logs, Windows Event ID 4688.","medium",{"type":123,"value":124,"description":125,"context":126,"confidence":15},"url_pattern","*/WindowsUpdate 1.0.0.msi","Monitor network logs for downloads of this specific filename, which is the malware installer.","Web proxy logs, firewall logs.",[13,28,14,128,18,129],"Malvertising","France","2026-04-09T15:00:00.000Z","NewsArticle",{"geographic_scope":133,"countries_affected":134,"industries_affected":135,"other_affected":137},"national",[129],[136],"Other",[138],"French-speaking Windows users",4,1776260626170]