A new report warns about a dangerous scam spreading through paid Facebook ads. The campaign tricks people into downloading fake Windows 11 installers that secretly steal passwords, browser data, and cryptocurrency wallet information.
How the scam works
Cybercriminals are buying ads on Facebook that appear to promote a legitimate Windows 11 update. The ads use convincing Microsoft-style branding and professional design, making them look authentic.
When someone clicks the ad, they’re redirected to a fake website designed to closely resemble Microsoft’s official Windows download page. These sites use look-alike domain names such as:
ms-25h2-download[.]proms-25h2-update[.]proms25h2-download[.]proms25h2-update[.]pro
The naming mimics Microsoft’s update versioning (like “25H2”), which helps make the scam believable.
Evasion techniques
The attackers aren’t just relying on deception — they’re actively trying to avoid detection.
The fake sites perform checks to see who is visiting. If the visitor appears to be a security researcher, automated scanner, or sandbox environment, the site redirects them to harmless content. Only regular users are served the malicious file. This technique, known as geofencing and sandbox evasion, helps the campaign stay under the radar.
The malicious file
Victims are prompted to download a file named:
ms-update32.exe
The file is approximately 75 MB and is presented as a Windows installer. To make it appear more trustworthy, the attackers host it on legitimate platforms such as GitHub, which means it’s delivered over HTTPS and doesn’t immediately trigger browser warnings.
What happens after infection
If the file is executed, it installs a hidden application inside:
AppData\Roaming\LunarApplication
The malware is built using Electron and creates a concealed presence on the system. It likely collects:
- Saved browser passwords
- Browser sessions and cookies
- Cryptocurrency wallet files
- Seed phrases
The stolen data is then exfiltrated to the attackers.
Indicators of compromise (IOCs)
Malicious file hash (SHA-256):c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa (ms-update32.exe)
Suspicious domains:
ms-25h2-download[.]proms-25h2-update[.]proms25h2-download[.]proms25h2-update[.]pro- GitHub raw URLs hosting the payload
File system artifacts:
- Hidden folder:
LunarApplication - Random PowerShell scripts in
%TEMP%
Registry persistence mechanism:
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults
Why this campaign is especially dangerous
This isn’t a typical phishing email. It uses paid Facebook advertising, which adds a layer of perceived legitimacy. Many users assume ads on major platforms are vetted and safe.
On top of that:
- The malware uses geofencing and sandbox evasion to avoid detection.
- It’s hosted on trusted infrastructure like GitHub.
- It uses valid HTTPS certificates, which prevents obvious browser security warnings.
All of this makes the scam more convincing and harder to detect.
What to do if you clicked the ad
If you downloaded and ran the file, you should assume the system is compromised.
Here’s what to do immediately:
- Run a full scan with updated antivirus or anti-malware software.
- Do not log into any accounts from that device.
- From a clean computer, change passwords for all important accounts.
- If you store cryptocurrency, move your funds to a new wallet created on a safe device.
- Consider placing fraud alerts on financial accounts if sensitive data may have been exposed.
The bottom line
Windows updates should only be installed through the built-in Windows Update feature in your system settings — never through social media ads or third-party download links.
Even professional-looking ads can be malicious. When it comes to operating system updates, always go directly to the official source.
