Redmond, Washington, April 15, 2026, 07:11 PDT
Cybersecurity researchers are warning Windows users away from a fake Windows 11 24H2 update served through a lookalike Microsoft support page, after Malwarebytes said the installer was built to steal passwords, payment details and account access. The alert landed just as Microsoft began distributing its real April security update to Windows 11 users.
That timing matters. Microsoft’s Windows release-health page says the April 2026 security update is now available, and the Windows 11 24H2 update history shows KB5083769 was released on April 14 with the latest security fixes and improvements.
Pieter Arntz, a Malwarebytes intelligence researcher, wrote that April’s Patch Tuesday fixes 167 security bugs, including two zero-days — flaws exposed before a vendor patch exists — with one already being exploited. This month, he said, users need to “patch the entire stack,” a rush that gives attackers a natural opening to mimic the update process. Malwarebytes
Malwarebytes said the bogus page used a typosquatted, or lookalike, web address and offered an 83-megabyte installer as a cumulative update, a bundled monthly patch. Stefan Dasic, a cybersecurity writer at the firm, called it a “typosquatted domain dressed up to look like an official Microsoft support page.” Malwarebytes
The package leaned on familiar tools to look ordinary. Malwarebytes wrote that it used WiX, a legitimate open-source installer framework, then hid malicious code inside Electron, software used to build many desktop apps, before launching a renamed Python process and other components to harvest data and stay on the machine after reboot.
The cybersecurity firm said VirusTotal showed zero detections across 69 antivirus engines for the main executable when it was analyzed, because the outer program appeared clean while the harmful logic sat inside obfuscated scripts. Malwarebytes said it has since added detections for the threat.
Microsoft’s support pages say routine security updates should be checked through Settings > Windows Update, while feature upgrades can be installed manually through the Windows Update Assistant on supported PCs. Malwarebytes said standalone update files should come only from Microsoft’s own domains, including the Update Catalog, not third-party pages that mimic Microsoft branding.
For users who think they installed the fake update, Microsoft says they should remove suspicious applications, run a full scan with Windows Security and consider resetting the device if scam messages keep appearing. Malwarebytes separately urged people to assume browser-stored passwords and session tokens may have been exposed, change those passwords and turn on two-factor authentication.
The scope of the campaign is still hard to gauge. The lure page was written in French, suggesting an early focus on French-speaking users, but Dasic wrote that such campaigns tend to spread quickly.
The bigger risk for Microsoft may be less a breach of its built-in update service than attackers shadowing the patch cycle with convincing fakes. A real patch day, and public calls to update fast, give criminals a believable script and users who are already primed to click.
