Fake Windows 11 Facebook Ads Used to Steal Crypto in Active Malware Campaign

The operation, uncovered in February 2026 by researchers at PCMag and Malwarebytes, uses convincing Microsoft-themed advertising to trick users into installing malicious software designed to empty crypto wallets.

The attackers appear to be focusing on users who have not yet upgraded to Windows 11 and may be actively searching for upgrade options after the end-of-support timeline for Windows 10.

How the Scam Works

The campaign begins with paid Facebook ads featuring professional Microsoft branding and messaging offering a “free” or “fast” Windows 11 upgrade. The ads redirect users to counterfeit websites that closely mimic official Microsoft download pages. Some of the fake domains even reference “25H2” to appear current and legitimate.

Victims are prompted to download a file, often named “ms-update32.exe,” typically around 75 MB in size. The installer is hosted on attacker-controlled repositories, including cloned projects on GitHub, giving it an extra layer of perceived legitimacy.

In some variations, the attackers go further by using fake CAPTCHA prompts. Users are instructed to press Windows + R, paste a command into the Run dialog, and execute malicious PowerShell code manually. This social engineering trick bypasses traditional download warnings and increases the likelihood of infection.

“LunarApplication” Infostealer Targets Crypto Assets

Once installed, the malware deploys an infostealer hidden inside a folder named “LunarApplication.” The name appears intentionally chosen to resemble legitimate crypto-related tools, reducing suspicion among digital asset holders.

The malware’s primary goal is data extraction. It scans the system for:

• Cryptocurrency wallet seed phrases
• Exchange login credentials
• Saved browser passwords
• Active session cookies

With access to seed phrases or authenticated sessions, attackers can quickly transfer funds out of victims’ wallets before they realize what has happened.

Advanced Evasion Techniques

Researchers say the campaign uses several sophisticated tactics to avoid detection.

Geofencing is one of the key defenses. If the malicious website detects traffic from a data center, VPN commonly used by researchers, or known security scanner IP range, it redirects visitors to Google’s homepage instead of serving the payload.

The installer also checks for virtual machines and analysis environments. If it detects that it is running inside a sandbox or monitored system, it refuses to execute.

For persistence, the malware embeds itself in the Windows registry under the path HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults, allowing it to survive system reboots and continue harvesting sensitive data.

What Users Should Do

Security experts stress that Microsoft does not promote operating system upgrades through social media ads. Legitimate updates are delivered exclusively through the built-in Windows Update feature in system settings.

Users who have clicked on suspicious ads or downloaded files should immediately run a full system scan using reputable antivirus software such as the Malwarebytes Free Scanner.

For cryptocurrency holders, the guidance is even more urgent. If a device is suspected to be compromised, funds should be moved to a new wallet generated on a separate, clean device. A new seed phrase must be created, as any previously exposed phrase should be considered permanently compromised.

As crypto adoption grows, attackers are increasingly blending traditional malware tactics with digital asset theft. This latest campaign highlights how social engineering, combined with polished branding and technical evasion, can turn a simple “system update” into a gateway for financial loss.

The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.

The post Fake Windows 11 Facebook Ads Used to Steal Crypto in Active Malware Campaign appeared first on Coindoo.