Threat actors are always looking for topical lures to socially engineer victims into infecting systems. We recently analyzed one such lure, namely a fake Windows 11 installer. On 27 January 2022, the day after
the final phase of the Windows 11 upgrade was announced, we noticed a malicious actor registered the domain
windows-upgraded[.]com, which they used to spread malware by tricking users into downloading and running a fake installer. The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcment. The threat actor used this domain to distribute
RedLine Stealer, an information stealing malware family that is widely advertised for sale within underground forums.