In a troubling development, a fake Microsoft support website is deceiving users into downloading malware disguised as a Windows update. This malicious campaign primarily targets French-speaking individuals, capitalizing on a significant amount of personal information circulating from previous data breaches.

The malware, once installed, is designed to steal passwords, payment details, and account access. It operates by installing an Electron application that runs a Python interpreter to execute its harmful payload. Security experts have noted that the malware employs two persistence mechanisms to survive system reboots: a registry entry and a shortcut in the Startup folder.

According to reports, the malware reaches out to external sites for IP reconnaissance and command-and-control communication, further endangering users’ data. Alarmingly, a scan on VirusTotal revealed zero detections across 69 engines for the main executable and 62 for the VBS launcher, raising concerns about the effectiveness of current security measures.

This incident is particularly alarming given the context of France’s recent history with data breaches. Over the past two years, the country has experienced a cascade of breaches, with 19 million subscriber contracts affected and 43 million records compromised in the breach of France Travail alone. In total, around 90 million records have been aggregated from various breaches, making the region a prime target for credential theft.

Experts emphasize the importance of vigilance, stating, “A domain like microsoft-update[.]support may look plausible, but it is not connected to Microsoft.” Users are urged to verify the legitimacy of any updates and to rely solely on the Microsoft Update Catalog for standalone update packages, which is the only legitimate source for manual downloads.

Chongwei Chen, a cybersecurity analyst, remarked, “Windows updates are cumulative but not infinitely so,” highlighting the need for users to stay informed about the updates they install. If you suspect that you may have installed this malicious update, immediate action is crucial to mitigate potential damage.

The most important takeaway from this incident is that a zero-detection result on VirusTotal does not guarantee a file’s safety. Users are advised to exercise caution and remain alert to potential threats as cybercriminals continue to exploit vulnerabilities in the system.