Hackers are abusing Facebook’s advertising platform to distribute fake Windows 11 download pages that deliver credential-stealing malware instead of legitimate updates.
In a Malwarebytes security report, campaigns were found using paid Facebook ads designed to look like official Microsoft promotions. They were run in multiple campaigns in parallel, each using separate domains and tracking infrastructure and utilizing conversion tracking to monitor ad performance.
The ads redirect users to highly convincing copies of Microsoft’s Windows download website, complete with cloned branding, layout, and legal text. The only visible difference is the website address, which uses look-alike domains rather than microsoft.com.
Once on the page, visitors are prompted to click a “Download” button. Instead of receiving a Windows update, targeted users download a malicious executable posing as a Windows 11 installer.
The fake download pages don’t serve malware to everyone, performing checks on visitors before delivering the payload. Only systems that appear to belong to regular home or office users receive the malicious file. Users connecting from data centers or environments commonly used by security researchers are redirected to harmless websites, making the campaign harder to detect and shut down.
The malware, named to resemble a Windows update, is also a large file size to appear as a legitimate update. It’s hosted on the trusted platform GitHub.
The installer itself is built using legitimate software packaging tools, further disguising its true purpose.
When executed on a real system, the malware installs components designed to harvest sensitive data, including:
- Saved browser passwords
- Active login sessions and cookies
- Cryptocurrency wallet files and related data
The malware also establishes persistence on the system using legitimate Windows registry locations and employs multiple obfuscation and encryption techniques to evade analysis and detection.
Windows updates are always delivered through the operating system’s built-in update mechanism or their official Windows or Microsoft domains, not through websites or advertisements.
Users who may have downloaded and run software from these fake update pages should treat the affected system as compromised, scan it with reputable security software such as Malwarebytes, and change important account credentials from a clean device.
Leave a Reply