This fake Windows support website delivers password-stealing malware
A malicious campaign is targeting French-speaking users in an attempt to steal passwords, payment details and banking details from people across France, according to researchers at the Institute for Strategic Studies (ISS).
AI Analysis
Technical Summary
This campaign involves a fraudulent website impersonating Windows support to distribute malware designed to steal user credentials and financial information. It targets French-speaking users, leveraging social engineering and technical methods such as code obfuscation and persistence mechanisms (indicated by tags like T1036, T1547, T1140, T1105, T1059, T1027). The malware delivery involves scripts and possibly Electron-based applications. Indicators include the malicious domain microsoft-update.support and several file hashes. There is no CVE or patch associated with this campaign, and no known exploits in the wild have been reported.
Potential Impact
The campaign can lead to theft of passwords, payment details, and banking information from victims, potentially resulting in financial loss and compromised accounts. The impact is localized to French-speaking users, especially in France, but no broader geographic targeting is confirmed. There is no evidence of widespread exploitation or active threat actor attribution at this time.
Mitigation Recommendations
No official patch or remediation is available as this is a malware campaign rather than a software vulnerability. Defenders should block access to the domain microsoft-update.support and monitor for the associated file hashes. User education to recognize fake support websites and avoid downloading software from untrusted sources is recommended. Since no vendor advisory or official fix exists, patch status is not applicable. Follow updates from trusted threat intelligence sources for any changes.
Indicators of Compromise
- hash: 08ccc359f9e0851d49e942cd47e5cf55
- hash: f15a70fccc42a07306d5987e35e1a5b2f070999e
- hash: 13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60
- hash: c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650
- domain: microsoft-update.support
This fake Windows support website delivers password-stealing malware
Description
A malicious campaign is targeting French-speaking users in an attempt to steal passwords, payment details and banking details from people across France, according to researchers at the Institute for Strategic Studies (ISS).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves a fraudulent website impersonating Windows support to distribute malware designed to steal user credentials and financial information. It targets French-speaking users, leveraging social engineering and technical methods such as code obfuscation and persistence mechanisms (indicated by tags like T1036, T1547, T1140, T1105, T1059, T1027). The malware delivery involves scripts and possibly Electron-based applications. Indicators include the malicious domain microsoft-update.support and several file hashes. There is no CVE or patch associated with this campaign, and no known exploits in the wild have been reported.
Potential Impact
The campaign can lead to theft of passwords, payment details, and banking information from victims, potentially resulting in financial loss and compromised accounts. The impact is localized to French-speaking users, especially in France, but no broader geographic targeting is confirmed. There is no evidence of widespread exploitation or active threat actor attribution at this time.
Mitigation Recommendations
No official patch or remediation is available as this is a malware campaign rather than a software vulnerability. Defenders should block access to the domain microsoft-update.support and monitor for the associated file hashes. User education to recognize fake support websites and avoid downloading software from untrusted sources is recommended. Since no vendor advisory or official fix exists, patch status is not applicable. Follow updates from trusted threat intelligence sources for any changes.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securityboulevard.com/2026/04/this-fake-windows-support-website-delivers-password-stealing-malware/"]
- Adversary
- null
- Pulse Id
- 69d7e6529f5d17df9f58fdae
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash08ccc359f9e0851d49e942cd47e5cf55 | MD5 of c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650 | |
hashf15a70fccc42a07306d5987e35e1a5b2f070999e | SHA1 of c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650 | |
hash13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60 | — | |
hashc94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainmicrosoft-update.support | — |
Threat ID: 69d7e6f61cc7ad14dafe7e5a
Added to database: 4/9/2026, 5:50:46 PM
Last enriched: 4/9/2026, 6:06:41 PM
Last updated: 4/10/2026, 6:09:39 AM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.