A Malwarebytes analysis describes a fake Windows update page hosted at microsoft-update[.]support that is written in French and lures users to install what appears to be a legitimate Windows update.
The downloaded file is WindowsUpdate 1.0.0[.]msi, an 83 MB Windows Installer package, with spoofed file properties including the Author field reading “Microsoft” and the title “Installation Database.” The package—built with WiX Toolset 4.0.0.5512 and created on 4 April 2026—installs an Electron application that later launches a renamed Python 3.10 process to conduct data theft.
The malware uses two persistence mechanisms: a Run registry entry named SecurityHealth pointing to WindowsUpdate[.]exe and a Startup shortcut Spotify[.]lnk, both designed to look benign. It inventories targets with Python packages such as pycryptodome, psutil and pywin32, and can intercept Discord tokens and payment details via a modified Electron chain.
The campaign targets French-speaking users, leveraging prior data breaches in France to make the lure more convincing, and VirusTotal showed zero detections at the time of analysis for the main executable and the launcher.