Attackers are running a sophisticated malvertising campaign that leverages paid Facebook ads to distribute credential-stealing malware disguised as official Windows 11 updates. The campaign uses convincing fake Microsoft download pages and includes multiple technical countermeasures designed to evade security researchers.
How the Attack Works
The campaign starts with professional-looking Facebook advertisements featuring Microsoft branding, promoting what appears to be the latest Windows 11 update. Clicking the ad redirects victims to near-perfect clones of Microsoft’s Software Download page hosted on lookalike domains:
- ms-25h2-download[.]pro
- ms-25h2-update[.]pro
- ms25h2-download[.]pro
- ms25h2-update[.]pro
The “25H2” naming convention deliberately mimics Microsoft’s Windows release naming scheme, making the fake domains appear legitimate at first glance.
Geofencing and Sandbox Detection
Before delivering the malicious payload, the fake page checks the visitor’s IP address. Visitors from data center IPs commonly used by security researchers and automated scanners are redirected to google.com, making the site appear harmless to security tools.
Only visitors who appear to be regular home or office users receive the malicious 75MB installer file, which is hosted on GitHub to bypass browser security warnings.
The Malware Payload
Once executed on a victim’s machine, the installer deploys an Electron-based application named “LunarApplication” to the AppData folder. The malware:
- Targets cryptocurrency wallets: Collects wallet files, seed phrases, and browser credential stores
- Steals session cookies: Enables attackers to hijack authenticated sessions
- Uses registry persistence: Writes encrypted binary blobs to legitimate Windows registry paths
- Employs process injection: Injects malicious code into suspended Windows processes
- Implements multiple encryption layers: Uses RC4, HC-128, XOR encoding, and FNV hashing
The installer also checks for virtual machine environments and debuggers before executing, adding another layer of evasion.
Why Facebook Ads Are Dangerous
Unlike phishing emails or suspicious search results, Facebook ads appear alongside trusted content from friends and family. The attackers are even using Facebook Pixel tracking to monitor which victims click the ads and optimize their campaigns in real time.
The campaign runs parallel ad sets pointing to separate phishing domains—if one gets shut down, the other continues operating.
Indicators of Compromise (IOCs)
File Hash (SHA-256):
- c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa (ms-update32.exe)
File System Artifacts:
- C:\Users\[USER]\AppData\Roaming\LunarApplication\
- C:\Users\[USER]\AppData\Local\Temp\[random].yiz.ps1
- C:\Users\[USER]\AppData\Local\Temp\[random].unx.ps1
Registry Persistence:
- HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults
Defensive Recommendations
For end users:
- Windows updates only come from Windows Update in system settings—never from websites or social media ads
- Microsoft does not advertise Windows updates on Facebook
- If you downloaded a file from these sites, treat the system as compromised immediately
- Move cryptocurrency funds to new wallets with fresh seed phrases generated on clean devices
For security teams:
- Block the phishing domains at DNS and web proxy level
- Alert on PowerShell execution with -ExecutionPolicy Unrestricted in non-administrative contexts
- Hunt for LunarApplication directory and randomized .yiz.ps1/.unx.ps1 files in %TEMP%
