A new malware campaign is targeting cryptocurrency users through fake Windows 11 upgrade ads on Facebook, exploiting confusion around the end of support for Windows 10.
Key Takeaways
- Fake Windows 11 ads on Facebook spread crypto-stealing malware.
- Victims are redirected to cloned Microsoft-style websites.
- The “LunarApplication” infostealer targets seed phrases and passwords.
- Malware uses geofencing and sandbox detection to avoid security tools.
The operation, uncovered in February 2026 by researchers at PCMag and Malwarebytes, uses convincing Microsoft-themed advertising to trick users into installing malicious software designed to empty crypto wallets.
The attackers appear to be focusing on users who have not yet upgraded to Windows 11 and may be actively searching for upgrade options after the end-of-support timeline for Windows 10.
How the Scam Works
The campaign begins with paid Facebook ads featuring professional Microsoft branding and messaging offering a “free” or “fast” Windows 11 upgrade. The ads redirect users to counterfeit websites that closely mimic official Microsoft download pages. Some of the fake domains even reference “25H2” to appear current and legitimate.
Attackers are running paid Facebook ads that look like official Microsoft promotions, then directing users to near-perfect clones of the Windows 11 download page. https://t.co/O22vZTAUlL
— Malwarebytes (@Malwarebytes) February 20, 2026
Victims are prompted to download a file, often named “ms-update32.exe,” typically around 75 MB in size. The installer is hosted on attacker-controlled repositories, including cloned projects on GitHub, giving it an extra layer of perceived legitimacy.
In some variations, the attackers go further by using fake CAPTCHA prompts. Users are instructed to press Windows + R, paste a command into the Run dialog, and execute malicious PowerShell code manually. This social engineering trick bypasses traditional download warnings and increases the likelihood of infection.
“LunarApplication” Infostealer Targets Crypto Assets
Once installed, the malware deploys an infostealer hidden inside a folder named “LunarApplication.” The name appears intentionally chosen to resemble legitimate crypto-related tools, reducing suspicion among digital asset holders.
The malware’s primary goal is data extraction. It scans the system for:
- Cryptocurrency wallet seed phrases
- Exchange login credentials
- Saved browser passwords
- Active session cookies
With access to seed phrases or authenticated sessions, attackers can quickly transfer funds out of victims’ wallets before they realize what has happened.
Advanced Evasion Techniques
Researchers say the campaign uses several sophisticated tactics to avoid detection.
Geofencing is one of the key defenses. If the malicious website detects traffic from a data center, VPN commonly used by researchers, or known security scanner IP range, it redirects visitors to Google’s homepage instead of serving the payload.
The installer also checks for virtual machines and analysis environments. If it detects that it is running inside a sandbox or monitored system, it refuses to execute.
For persistence, the malware embeds itself in the Windows registry under the path HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults, allowing it to survive system reboots and continue harvesting sensitive data.
What Users Should Do
Security experts stress that Microsoft does not promote operating system upgrades through social media ads. Legitimate updates are delivered exclusively through the built-in Windows Update feature in system settings.
Users who have clicked on suspicious ads or downloaded files should immediately run a full system scan using reputable antivirus software such as the Malwarebytes Free Scanner.
For cryptocurrency holders, the guidance is even more urgent. If a device is suspected to be compromised, funds should be moved to a new wallet generated on a separate, clean device. A new seed phrase must be created, as any previously exposed phrase should be considered permanently compromised.
As crypto adoption grows, attackers are increasingly blending traditional malware tactics with digital asset theft. This latest campaign highlights how social engineering, combined with polished branding and technical evasion, can turn a simple “system update” into a gateway for financial loss.
The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.
Kosta joined the team in 2021 and quickly established himself with his thirst for knowledge, incredible dedication, and analytical thinking. He not only covers a wide range of current topics, but also writes excellent reviews, PR articles, and educational materials. His articles are also quoted by other news agencies.
Source: https://coindoo.com/fake-windows-11-facebook-ads-used-to-steal-crypto-in-active-malware-campaign/