Attackers are leveraging the power of social media advertising to execute a sophisticated malware campaign that masquerades as legitimate Microsoft promotions. Through paid Facebook ads, they draw unsuspecting users to near-exact replicas of the official Windows 11 download page. A simple click on Download Now leads to the installation of a malicious program, rather than a genuine Windows update, which stealthily pilfers saved passwords, browser sessions, and cryptocurrency wallet information.
“I just wanted to update Windows”
The attack begins innocuously, presenting itself as a professional Facebook ad adorned with Microsoft branding, promoting what seems to be the latest Windows 11 update. For those looking to keep their systems current, this appears to be a straightforward solution.
Upon clicking the ad, users are redirected to a site that closely resembles Microsoft’s authentic Software Download page. The logo, layout, fonts, and even the legal text in the footer are meticulously replicated. The only telltale sign of deceit lies in the address bar, where instead of the trusted microsoft.com, users encounter one of several deceptive domains:
- ms-25h2-download[.]pro
- ms-25h2-update[.]pro
- ms25h2-download[.]pro
- ms25h2-update[.]pro
The inclusion of “25H2” in these domain names is a calculated move, mimicking Microsoft’s own naming conventions for Windows releases. This clever tactic lends an air of authenticity to the fraudulent domains, especially as the real version, 24H2, was widely discussed at the time of the campaign’s launch.
Geofencing: only the right targets get the payload
This campaign is not a scattershot approach; it selectively targets its victims. Before delivering the malware, the counterfeit page assesses the visitor’s identity. Users connecting from data center IP addresses—often associated with security researchers—are redirected to a benign google.com page, while unsuspecting home or office users are served the malicious file.
This technique, known as geofencing combined with sandbox detection, has enabled the campaign to operate undetected for an extended period. The infrastructure is adeptly designed to evade automated security measures.
When a targeted user clicks Download now, the site triggers a Facebook Pixel “Lead” event, similar to the tracking methods employed by legitimate advertisers to gauge conversion rates. The attackers monitor which users fall for the bait, allowing them to optimize their ad spend in real time.
A 75 MB “installer” served straight from GitHub
If a user passes the initial checks, the site downloads a file named ms-update32.exe. At 75 MB, it mimics the size of a legitimate Windows installer.
This file is hosted on GitHub, a platform trusted by millions of developers, ensuring that the download is delivered over HTTPS with a valid security certificate. As a result, browsers do not flag it as suspicious.
The installer is crafted using Inno Setup, a legitimate tool often exploited by malware creators for its ability to produce professional-looking installation packages.
What happens when you run it
Upon execution, the installer first checks for any monitoring tools. It scans for virtual machine environments, debuggers, and analysis software. If any of these are detected, it halts its operation. This evasion tactic allows it to bypass many automated security sandboxes, which typically operate within virtual machines.
On a genuine user’s machine, the installer proceeds to extract and deploy its components. The most significant of these is an Electron-based application installed in C:UsersAppDataRoamingLunarApplication. The choice of the name “Lunar” is not coincidental; it is associated with cryptocurrency tools, suggesting that the application is designed to collect and package sensitive data for transmission. Likely targets include cryptocurrency wallet files, seed phrases, browser credentials, and session cookies.
Additionally, two obfuscated PowerShell scripts with randomized filenames are created in the %TEMP% folder and executed with a command line that disables Windows script-signing protections:
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
Hiding in the registry, covering its tracks
To maintain persistence, the malware writes a large binary blob to the Windows registry under: HKEYLOCALMACHINESYSTEMSoftwareMicrosoftTIPAggregateResults. This registry path is a legitimate Windows component, making it less likely to raise suspicion.
Telemetry indicates behavior consistent with process injection. The malware creates Windows processes in a suspended state, injects its code, and resumes execution, allowing it to operate under the guise of a legitimate process, thereby reducing the likelihood of detection.
Once established, the installer deletes temporary files to minimize its forensic footprint and can initiate system shutdowns or reboots to disrupt analysis efforts. The malware employs various encryption and obfuscation techniques, including RC4, HC-128, XOR encoding, and FNV hashing for API resolution, complicating static analysis.
The Facebook ads angle
The utilization of paid Facebook advertising for malware distribution warrants attention. Unlike phishing emails that may land in spam folders or malicious links buried in search results, these ads appear alongside posts from friends and family, enhancing their credibility.
The attackers executed two parallel ad campaigns, each directing users to separate phishing domains. Each campaign utilized its own Facebook Pixel ID and tracking parameters, allowing them to maintain operations even if one domain or ad account was suspended.
This redundancy suggests a well-thought-out strategy, ensuring that if one avenue is compromised, another remains operational.
What to do if you think you’ve been affected
This campaign showcases a high level of technical sophistication and operational awareness. The infrastructure reflects an understanding of common security research and sandboxing techniques, and the choice of Facebook advertising as a delivery method capitalizes on user trust.
It is crucial to remember that legitimate Windows updates are delivered through Windows Update within system settings—not through websites or social media ads. Microsoft does not promote Windows updates on Facebook.
For those who may have downloaded and executed a file from these deceptive sites, it is essential to treat the system as compromised and take immediate action:
- Do not log into any accounts from that computer until it has been scanned and cleaned.
- Run a full scan with Malwarebytes immediately.
- Change passwords for important accounts like email, banking, and social media from a different, clean device.
- If you use cryptocurrency wallets on that machine, move funds to a new wallet with a new seed phrase generated on a clean device.
- Consider alerting your bank and enabling fraud monitoring if any financial credentials were stored on or accessible from that device.
For IT and security teams:
- Block the phishing domains at DNS and web proxy.
- Alert on PowerShell execution with
-ExecutionPolicy Unrestrictedin non-administrative contexts. - Hunt for the LunarApplication directory and randomized
.yiz.ps1/.unx.ps1files in%TEMP%.
Indicators of Compromise (IOCs)
File hash (SHA-256)
- c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa (ms-update32.exe)
Domains
- ms-25h2-download[.]pro
- ms-25h2-update[.]pro
- ms25h2-download[.]pro
- ms25h2-update[.]pro
- raw.githubusercontent.com/preconfigured/dl/refs/heads/main/ms-update32.exe (payload delivery URL)
File system artifacts
- C:UsersAppDataRoamingLunarApplication
- C:UsersAppDataLocalTemp[random].yiz.ps1
- C:UsersAppDataLocalTemp[random].unx.ps1
Registry
- HKEYLOCALMACHINESYSTEMSoftwareMicrosoftTIPAggregateResults (large binary data — persistence)
Facebook advertising infrastructure
- Pixel ID: 1483936789828513
- Pixel ID: 955896793066177
- Campaign ID: 52530946232510
- Campaign ID: 6984509026382
