Redmond, Washington, April 15, 2026, 07:11 PDT
Cybersecurity researchers flagged a bogus Windows 11 24H2 update, warning users that a fake Microsoft support page is pushing an installer designed to swipe passwords, payment info, and account credentials, according to Malwarebytes. The warning hit as Microsoft pushed out its legitimate April security update for Windows 11.
Timing is key here. According to the Windows release-health page, Microsoft rolled out the April 2026 security update, while the Windows 11 24H2 update log records KB5083769 landing on April 14, bringing new security fixes and tweaks.
April’s Patch Tuesday brought 167 security fixes, Malwarebytes intelligence researcher Pieter Arntz said, with two zero-days in the mix—one of them actively exploited. Arntz flagged a “patch the entire stack” scenario this month, warning that attackers can take advantage of the update rush by imitating legitimate patches. Malwarebytes
Malwarebytes flagged the fake page, noting it relied on a lookalike, or typosquatted, web address to fool visitors. The site pushed an 83-megabyte installer, claiming it was a cumulative update—a bundled monthly patch. Stefan Dasic, a cybersecurity writer at Malwarebytes, described it as “typosquatted domain dressed up to look like an official Microsoft support page.” Malwarebytes
The package kept things looking routine by sticking with well-known methods. Malwarebytes found that it relied on WiX, the open-source installer many developers trust. Malicious code got tucked away in Electron—software powering plenty of desktop apps—then a Python process appeared, disguised with a new name, along with other payloads aimed at grabbing data and ensuring persistence after a reboot.
According to the cybersecurity firm, VirusTotal didn’t flag the main executable—none of the 69 antivirus engines caught it during analysis. The reason: the outer program looked benign, while the malicious code hid in obfuscated scripts. Malwarebytes noted it’s now detecting the threat.
According to Microsoft’s support documentation, users are directed to grab routine security fixes via Settings > Windows Update, while those looking for major feature updates can run the Windows Update Assistant—assuming their PC is eligible. Malwarebytes flagged that standalone update downloads should always come straight from Microsoft’s own sites, like the Update Catalog, and warned against using lookalike third-party pages dressed up with Microsoft’s logos.
If you think you installed the fake update, Microsoft advises deleting any suspicious apps, scanning your system with Windows Security, and, if scam pop-ups persist, possibly resetting your device. Malwarebytes also warned that browser-saved passwords and session tokens could be compromised; users should change those credentials and enable two-factor authentication.
Just how far the campaign has reached remains unclear. The lure page appeared in French—pointing to a likely initial target on French-speaking users. But Dasic noted these operations usually pick up steam fast.
Microsoft’s bigger worry could be attackers riding the coattails of its patch cycle, pushing out convincing fakes instead of targeting the update service itself. Genuine patch days, along with public urgings to install updates quickly, hand criminals a ready-made story—and a user base set up to click.
