Key Takeaways
- Fake Windows 11 ads on Facebook spread crypto-stealing malware.
- Victims are redirected to cloned Microsoft-style websites.
- The “LunarApplication” infostealer targets seed phrases and passwords.
- Malware uses geofencing and sandbox detection to avoid security tools.
Researchers at PCMag and Malwarebytes discovered in February 2026 that criminals are using realistic Microsoft-themed ads to deceive people into downloading harmful software that steals cryptocurrency.
It looks like attackers are targeting people who haven’t upgraded to Windows 11, especially those looking for ways to update after Windows 10 is no longer supported.
How the Scam Works
The scam starts with official-looking Facebook ads from Microsoft promising a free or quick upgrade to Windows 11. Clicking these ads takes users to fake websites designed to look just like real Microsoft download pages. To seem more convincing, some of these fake sites even mention a recent Windows 11 version, ’25H2′.
Scammers are using Facebook ads that appear to be legitimate Microsoft offers to trick people into downloading fake versions of Windows 11. These ads link to websites that closely resemble the real Windows 11 download page.
— Malwarebytes (@Malwarebytes)
In my research, I’ve observed attackers tricking users into downloading a file, frequently disguised as a Windows update and named something like “ms-update32.exe.” This file is usually around 75 MB in size. What’s particularly concerning is that the attackers are hosting this malicious installer on servers they control, and sometimes even on cloned projects on platforms like GitHub, which can make it appear more trustworthy to unsuspecting victims.
Sometimes, attackers take things a step further by using fake CAPTCHA requests. They trick users into pressing Windows + R, copying and pasting a command, and then running harmful code themselves. This clever manipulation gets around normal security warnings and makes it more likely that a device will be infected.
“LunarApplication” Infostealer Targets Crypto Assets
After installation, the malicious software installs a program that steals personal information. This program is disguised within a folder called “LunarApplication,” a name likely chosen to look like a genuine application used for cryptocurrency, in order to avoid raising alarm among people who use digital currencies.
The malware’s primary goal is data extraction. It scans the system for:
- Cryptocurrency wallet seed phrases
- Exchange login credentials
- Saved browser passwords
- Active session cookies
If attackers gain access to a user’s seed phrase or active login session, they can swiftly steal funds from the user’s wallet, often before the user even knows anything is wrong.
Advanced Evasion Techniques
Researchers say the campaign uses several sophisticated tactics to avoid detection.
Geofencing is a crucial security measure. If a website detects suspicious traffic – like connections from data centers, VPNs often used by researchers, or known security scanners – it will redirect visitors to Google’s homepage instead of delivering harmful content.
The installation program can identify if it’s running within a virtual machine or a testing environment. If it detects one of these, it won’t proceed with the installation to prevent analysis or tampering.
To stay hidden on a computer, this malware adds itself to the Windows registry – specifically under a location called HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults. This ensures it automatically restarts each time the computer is rebooted and can continue stealing sensitive information.
What Users Should Do
Security professionals want everyone to know that Microsoft never uses social media ads to tell people to update their operating systems. Real updates are always delivered automatically through the Windows Update feature within your computer’s settings.
If you’ve clicked on any strange ads or downloaded files from untrustworthy sources, it’s important to scan your entire computer right away. Use a well-known antivirus program like Malwarebytes Free Scanner to do this.
As a crypto investor, I want to share something really important. If you think your phone, computer, or any device you use for crypto might be hacked, you *need* to move your coins to a brand new wallet. And I mean a wallet created on a completely different, secure device. Don’t just reuse an old seed phrase – anything that might have been exposed is considered unsafe forever, so create a completely new one. It’s a pain, but protecting your funds is worth it.
With more people using cryptocurrency, hackers are starting to combine old-fashioned malware methods with new ways to steal digital assets. This recent attack shows how convincing scams, combined with clever techniques to avoid detection, can trick people into downloading what seems like a normal software update – but actually leads to losing money.
As an analyst, I want to be clear that the information I provide is strictly for educational use. It’s not financial, investment, or trading advice, and I don’t recommend any particular investment or cryptocurrency. Before you make any decisions with your money, please do your own thorough research and, importantly, speak with a qualified financial advisor.
Read More
- All Golden Ball Locations in Yakuza Kiwami 3 & Dark Ties
- Gold Rate Forecast
- Hollywood is using “bounty hunters” to track AI companies misusing IP
- NBA 2K26 Season 5 Adds College Themed Content
- What time is the Single’s Inferno Season 5 reunion on Netflix?
- A Knight Of The Seven Kingdoms Season 1 Finale Song: ‘Sixteen Tons’ Explained
- Mario Tennis Fever Review: Game, Set, Match
- Pokemon LeafGreen and FireRed listed for February 27 release on Nintendo Switch
- Heated Rivalry Adapts the Book’s Sex Scenes Beat by Beat
- Brent Oil Forecast
2026-02-25 17:46