Fake domains offer Windows 11 installers - but deliver malware instead

Be careful what you are downloading - these files deliver the Vidar infostealer.
Written by Charlie Osborne, Contributing Writer

Security researchers have found a new collection of phishing domains offering up fake Windows 11 installers that actually deliver information-stealing malware. 

Cybersecurity firm Zscaler said that newly registered domains appeared in April 2022 and have been designed to mimic the legitimate Microsoft Windows 11 OS download portal. 

'Warez' sites containing pirate material, including software and games, are notorious as hotbeds of malicious malware packages, including Trojans, information stealers, adware, and nuisanceware. 

SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems

Cracked forms of software are on offer for free and users who download the software are usually trying to avoid paying for software licenses or gaming content. A brief scan of active warez sites reveals listings for Windows, macOS, and Linux applications, including Adobe Photoshop, various creative applications, enterprise versions of Windows software, and a host of films and games. 

However, if you risk the download, you might be opening your machine up to infection – and the same applies if you download software you trust from a suspicious web address.

Image: Zscaler

In the case documented by Zscaler, Vidar is spread by the threat actors through phishing and social media networks, including Mastodon, which are widely abused to facilitate attacks. 

Mastodon is decentralized, open-source software used to run self-hosted social networks. In two instances, the cyber criminals created new user accounts and stored command-and-control (C2) server addresses in their 'profile' sections. 

In a new development, the Vidar group is also opening Telegram channels with the same C2 stored in the channel description. By doing so, malware implanted on vulnerable systems can fetch C2 configuration from these channels. 

Vidar is a nasty form of malware able to spy on users and steal their data, including OS information, browser history, online account credentials, financial data, and various cryptocurrency wallet credentials. Vidar is also spread through the Fallout exploit kit. 

SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches

While the fake website pretends to be the official download portal, the malicious file on offer is an .ISO hiding the Vidar payload and packed with Themida. A static configuration is used to access the C2, but social media profiles can also be used as backup URLs. 

In addition to the .ISO files being distributed as fake Windows 11 installers, Zscaler also uncovered a GitHub repository storing backdoored versions of Adobe Photoshop, another popular option for warez sites. 

The best option to mitigate the risk of Vidar is to only download software from trusted, official domains – and to not give in to the lure of free, cracked software. 

"The threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar stealer using themes related to the latest popular software applications," the researchers say. "As always, users should be cautious when downloading software applications from the Internet."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards