{“lastseen”:”2026-02-20T12:05:09″,”description”:”Attackers are running paid Facebook ads that look like official Microsoft promotions, then directing users to near-perfect clones of the Windows 11 download page. Click **Download Now** and instead of a Windows update, you get a malicious installer\u2014one that silently steals saved passwords, browser sessions, and cryptocurrency wallet data.\\n\\n## \\”I just wanted to update Windows\\”\\n\\nThe attack starts with something completely ordinary: a Facebook ad. It looks professional, uses Microsoft branding, and promotes what appears to be the latest Windows 11 update. If you have been meaning to keep your PC current, it feels like a convenient shortcut.\\n\\nClick the ad and you land on a site that looks almost identical to Microsoft\u2019s real Software Download page. The logo, layout, fonts, and even the legal text in the footer are copied. The only obvious difference is in the address bar. Instead of microsoft.com, you\u2019ll see one of these lookalike domains:\\n\\n * ms-25h2-download[.]pro\\n * ms-25h2-update[.]pro\\n * ms25h2-download[.]pro\\n * ms25h2-update[.]pro\\n\\n\\n\\nThe \u201c25H2\u201d in domain names is deliberate. It mimics the naming convention Microsoft uses for Windows releases\u201424H2, the current version, was on everyone’s lips when this campaign launched, making the fake domains look plausible at a glance.\\n\\n## Geofencing: only the right targets get the payload\\n\\nThis campaign does not blindly infect everyone who visits the site.\\n\\nBefore delivering the malware, the fake page checks who you are. If you connect from a data center IP address\u2014often used by security researchers and automated scanners\u2014you get redirected to google.com. The site looks harmless.\\n\\nOnly visitors who appear to be regular home or office users receive the malicious file.\\n\\nThis technique, known as geofencing combined with sandbox detection, is what allowed this campaign to run for as long as it did without being caught and shut down by automated systems. The infrastructure is configured to evade automated security analysis.\\n\\nWhen a targeted user clicks **Download now** , the site triggers a Facebook Pixel \u201cLead\u201d event\u2014the same tracking method legitimate advertisers use to measure conversions. The attackers are monitoring which victims take the bait and optimizing their ad spend in real time.\\n\\n\\n\\n## A 75 MB \\”installer\\” served straight from GitHub\\n\\nIf you pass the checks, the site downloads a file named **ms-update32.exe**. At 75 MB, it feels like a legitimate Windows installer.\\n\\nThe file is hosted on GitHub, a trusted platform used by millions of developers. That means the download arrives over HTTPS with a valid security certificate. Because it comes from a reputable domain, browsers do not automatically flag it as suspicious.\\n\\nThe installer was built using Inno Setup, a legitimate tool often abused by malware authors because it creates professional-looking installation packages.\\n\\n## What happens when you run it\\n\\nBefore doing anything damaging, the installer checks whether it is being watched. It looks for virtual machine environments, debugger software, and analysis tools. If it finds any of them, it stops. This is the same evasion logic that lets it slip past many automated security sandboxes\u2014those systems run inside virtual machines by design.\\n\\nOn a real user\u2019s machine, the installer proceeds to extract and deploy its components. \\n\\nThe most significant component is a full Electron-based application installed to` C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Roaming\\\\LunarApplication\\\\`. Electron is a legitimate framework used by apps like Slack and Visual Studio Code. That makes it a useful disguise.\\n\\nThe choice of name is not accidental. \u201cLunar\u201d is a brand associated with cryptocurrency tooling, and the application comes bundled with Node.js libraries specifically designed to create ZIP archives\u2014suggesting it collects data, packages it up, and sends it out. Likely targets include cryptocurrency wallet files, seed phrases, browser credential stores, and session cookies.\\n\\nAt the same time, two obfuscated PowerShell scripts with randomised filenames are written to the %TEMP% folder and executed with a command line that deliberately disables Windows script-signing protections:\\n\\n`powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -`\\n\\n## Hiding in the registry, covering its tracks\\n\\nTo survive reboots, the malware writes a large binary blob to the Windows registry under: `HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\Software\\\\Microsoft\\\\TIP\\\\AggregateResults`.\\n\\nThe TIP (Text Input Processor) registry path is a legitimate Windows component, which makes it less likely to raise suspicion.\\n\\nTelemetry also shows behavior consistent with process injection. The malware creates Windows processes in a suspended state, injects code into them, and resumes execution. This allows the malicious code to run under the identity of a legitimate process, reducing the chance of detection.\\n\\nOnce execution is established, the installer deletes temporary files to reduce its forensic footprint. It can also initiate system shutdown or reboot operations, potentially to interfere with analysis.\\n\\nThe malware uses multiple encryption and obfuscation techniques, including RC4, HC-128, XOR encoding, and FNV hashing for API resolution. These methods make static analysis more difficult.\\n\\n## The Facebook ads angle\\n\\nThe use of paid Facebook advertising to distribute malware is worth pausing on. This is not a phishing email that lands in a spam folder, or a malicious result buried in a search page. These are paid Facebook ads appearing alongside posts from friends and family.\\n\\nThe attackers ran two parallel ad campaigns, each pointing to separate phishing domains. Each campaign used its own Facebook Pixel ID and tracking parameters. If one domain or ad account gets shut down, the other can continue running.\\n\\nThe use of two parallel domains and two separate advertising campaigns suggests the operators have redundancy built in\u2014if one domain is taken down or one ad account is suspended, the other continues running.\\n\\n## What to do if you think you’ve been affected\\n\\nThis campaign is technically polished and operationally aware. The infrastructure demonstrates awareness of common security research and sandboxing techniques. They understand how people download software and have chosen Facebook advertising as their delivery vector precisely because it reaches real users in a context where trust is high.\\n\\nRemember: Windows updates come from Windows Update inside your system settings\u2014not from a website and never from a social media ad. Microsoft does not advertise Windows updates on Facebook.\\n\\nAnd a pro tip: Malwarebytes would have detected and blocked the identified payload and associated infrastructure.\\n\\nIf you downloaded and ran a file from either of these sites, treat the system as compromised and act quickly.\\n\\n * Do not log into any accounts from that computer until it has been scanned and cleaned.\\n * Run a full scan with Malwarebytes immediately.\\n * Change passwords for important accounts like email, banking, and social media from a **different, clean device**.\\n * If you use cryptocurrency wallets on that machine, move funds to a new wallet with a new seed phrase generated on a clean device.\\n * Consider alerting your bank and enabling fraud monitoring if any financial credentials were stored on or accessible from that device.\\n\\n\\n\\nFor IT and security teams: \\n\\n * Block the phishing domains at DNS and web proxy\\n * Alert on PowerShell execution with `-ExecutionPolicy Unrestricted` in non-administrative contexts\\n * Hunt for the LunarApplication directory and randomized `.yiz.ps1` \/ `.unx.ps1` files in `%TEMP%`\\n\\n\\n\\n## Indicators of Compromise (IOCs)\\n\\n### File hash (SHA-256)\\n\\n * c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa (ms-update32.exe)\\n\\n\\n\\n### Domains\\n\\n * ms-25h2-download[.]pro\\n * ms-25h2-update[.]pro\\n * ms25h2-download[.]pro\\n * ms25h2-update[.]pro\\n * raw.githubusercontent.com\/preconfigured\/dl\/refs\/heads\/main\/ms-update32.exe (payload delivery URL)\\n\\n\\n\\n### File system artifacts\\n\\n * C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Roaming\\\\LunarApplication\\\\\\n * C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Temp\\\\\\\\[random].yiz.ps1\\n * C:\\\\Users\\\\\\u003cUSER\\u003e\\\\AppData\\\\Local\\\\Temp\\\\\\\\[random].unx.ps1\\n\\n\\n\\n### Registry\\n\\n * HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\Software\\\\Microsoft\\\\TIP\\\\AggregateResults (large binary data \u2014 persistence)\\n\\n\\n\\n### Facebook advertising infrastructure\\n\\n * Pixel ID: 1483936789828513\\n * Pixel ID: 955896793066177\\n * Campaign ID: 52530946232510\\n * Campaign ID: 6984509026382″,”published”:”2026-02-20T10:00:30″,”modified”:”2026-02-20T10:00:30″,”type”:”malwarebytes”,”title”:”Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets”,”source”:””,”references”:””,”id”:”MALWAREBYTES:735F491B5DCC7419B04118FA901CDFBB”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/02\/facebook-ads-spread-fake-windows-11-downloads-that-steal-passwords-and-crypto-wallets”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-20T12:05:09″,”description”:”Attackers are running paid Facebook ads that look like official Microsoft promotions, then directing users to near-perfect clones of the Windows 11 download page. Click…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-41906","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n