Inno Stealer Malware Disguised as Windows 11 Installer Targets Users

Source: Carrot Weekly (ID: carrotchou)

According to Neowin, since Windows 11 was first released in June 2021, many campaigns have tried to lure users into downloading fake malicious Windows 11 installers. Although these campaigns subsided for a while, they appear to have resurfaced, potentially more dangerous now that Windows 11 is widely available.

CloudSEK security firm discovered a new malware of similar nature; the spoofed site looks like Microsoft’s official site, but the distributed file, built with Inno Setup, contains the “Inno Stealer” malware installer. This is a novel information‑stealing malware with no similar samples on VirusTotal.

The malicious site’s URL is “windows11-upgrade11.com”, and it appears the Inno Stealer operators reused a page from a previous similar campaign months ago, using the same tricks to deceive victims.

CloudSEK says that after downloading the infected ISO, multiple processes run in the background to compromise the system. It creates Windows command scripts to disable registry security, add exclusions for Defender, uninstall security products, and delete shadow volumes.

Finally, a .SCR file is created, which actually delivers the malicious payload; in this case, the infected system shows the new Inno Stealer malware in the following directory:

C:\Users\AppData\Roaming\Windows11InstallationAssistant

The payload file is named “Windows11InstallationAssistant.scr”.

The following diagram explains the entire process:

CloudSEK identified the targets of the Inno information‑stealing malware, which include browsers and cryptocurrency wallets, as shown in the diagram: first browsers, then wallets.