Fake domain names caught spreading malware in the name of Windows 11 upgrade

Hackers are targeting Windows users with malware using spoofed domain names faking Windows 11 download websites, claims ThreatLabz, the research arm of cloud security company Zscaler.

The spoofed domain names led users to malicious websites offering Windows 11 upgrade and trick them into downloading a malicious ISO file infested with Vidar info stealer malware. ThreatLabz detected the domain names in April while monitoring suspicious traffic on the Zscaler cloud.  

Released last year, Windows 11 is still installed on only 8.89% of PCs, as per Statcounter data. Previous versions such as Windows 10 still account for 73.24% of the market while Windows 7 runs on 12.62% of PCs. Hackers are aware of this large user base that is yet to upgrade and are more likely to fall into the trap.

The malware was also being distributed using social media networks including Telegram and Mastodon, a decentralised social media which has recently seen a surge in userbase after Elon Musk’s $44 billion bid to acquire Twitter. ThreatLabz found that the hackers had created accounts on Mastodon and were using it to store command-and-control (C2) server addresses in the profile section.

Researchers at ThreatLabz said that the hackers are also using social engineering to impersonate popular software applications and distribute the malware. They found a malicious GitHub repository, controlled by hackers, which had several backdoor versions of Adobe Photoshop.

During the investigation, researchers found that hackers kept the size of the ISO file above 300 MB to avoid detection by network security solutions that do not scan large files.

A variant of the Arkei malware family, Vidar is an information-stealing malware that is widely used to steal documents, cookies and browser histories, coins from cryptocurrency wallets, data from two-factor authentication apps, and information from text messages.