Researchers from Huntress have identified a new cyberattack method where malicious actors are using fake Windows update screens to trick users into installing data-stealing malware. The deceptive interface closely mimics the genuine Windows update process, displaying realistic animations and progress bars in full-screen mode to create a convincing illusion of a legitimate system update.
According to the findings, the attack begins when users interact with a seemingly harmless image file in PNG format. Embedded within the image are hidden data payloads that, once activated, deploy surveillance tools capable of harvesting sensitive information such as passwords, banking details, and cryptocurrency wallet data.
This technique represents an evolution in social engineering tactics, as threat actors move beyond traditional phishing links to exploit visual file formats as delivery mechanisms for malware. The leverage of PNG files allows attackers to bypass certain security filters that might flag executable or script-based threats.
Huntress researchers noted that the fake update screen is designed to appear authentic, leveraging familiarity with Microsoft’s update interface to lower user vigilance. By replicating the look and feel of a real Windows update—including branding, layout, and animated elements—the scam increases the likelihood of user compliance.
The attack underscores the growing sophistication of cybercriminal operations, particularly in how they manipulate trusted system processes to conceal malicious activity. As these tactics become more refined, users are urged to verify the legitimacy of update prompts and avoid interacting with unexpected image files, even if they appear benign.
Although the specific threat group behind the campaign has not been named in the available reports, the method aligns with observed trends in credential theft and financial fraud. Security experts recommend maintaining up-to-date antivirus software and exercising caution when prompted to install updates from unverified sources.
