Facebook “Windows 11 Update” Scam: Fake Microsoft Ads That Install an Infostealer (Passwords + Crypto Wallets)
Paid Facebook ads that look like legitimate Microsoft “Windows 11 updates” are redirecting people to convincing fake download pages. The download is not an update—it’s an infostealer designed to drain saved passwords, browser sessions, and crypto wallets.
What’s happening today (Feb 20, 2026) and why it matters
Today’s scam is simple in concept and brutal in impact: you see a Facebook ad that looks like a Microsoft promotion, it claims you need a Windows 11 update (often using believable version language like “25H2”), you click “Download,” and you end up running a malicious installer. The malware is an infostealer—a category of malware built to quietly harvest valuable data such as saved passwords, browser session cookies/tokens, and cryptocurrency wallet information.
This campaign was documented in a Feb 20, 2026 report by Malwarebytes, which describes paid Facebook ads impersonating Microsoft, near-identical clones of Windows 11 download pages, and a malicious executable delivered to victims. Source: Malwarebytes report
Quick takeaways (shareable)
- Scam vector: Facebook/Meta paid ads (“Windows 11 update”) → fake Microsoft page → malicious download.
- What it steals: saved passwords, browser sessions, and crypto wallet data.
- Why it’s convincing: the pages look like Microsoft, and “Windows 11 25H2” is a real version label.
- Safest action: never update Windows from ads—use Settings → Windows Update.
If you manage devices (school, office, household), the operational risk is high: an infostealer can pivot from one compromised machine to email takeover, social takeover, and financial theft—especially when people store passwords in browsers or keep crypto wallet extensions on the same profile.
What the scam looks like (and the psychology behind it)
Most people don’t wake up planning to download suspicious software. Scammers win by aligning their pitch with something you already believe: “updates keep you safe.” Add official-looking branding, and the decision becomes automatic.
Stage 1: The Facebook ad impersonates a Microsoft update
The ads are designed to feel routine: a Windows 11 update prompt, a security patch, a “new version available.” The creative often uses Microsoft-style layout and language. Because it’s an ad, it also inherits a certain false legitimacy: people assume platforms screen ads aggressively. In reality, malicious ads often slip through and spread fast before takedown. Malwarebytes details
Stage 2: A near-perfect clone of the Windows 11 download page
After clicking, victims land on a site that looks like Microsoft’s Windows 11 download experience. The trick is in the address bar: the domain is not Microsoft. The Malwarebytes report lists lookalike domains using “25H2” and “update/download” in the name.
microsoft.com), don’t
download anything. Branding can be copied; the address bar is harder to
fake.
Stage 3: The “Update” is actually a malware installer
Instead of a Windows update, the page triggers a download of a Windows
executable. According to Malwarebytes, victims may receive a file named
ms-update32.exe that delivers an infostealer.
Malwarebytes: file name and behavior
Why “Windows 11 25H2” makes the scam feel real
“25H2” isn’t random scam jargon. It matches a real Windows 11 version line (25H2) that Microsoft has documented in release health and update history pages. That reality makes the scam psychologically efficient: the victim doesn’t need to be tricked into believing a new version exists—only that this ad is the proper way to get it. Microsoft: Windows 11 25H2 enablement package Microsoft Learn: Windows 11 25H2 release health
Local context (PH): Many users in the Philippines rely heavily on Facebook for discovery—ads, pages, marketplace, and even “tech tips.” That makes Facebook malvertising especially risky: the scam appears in the same feed people use daily for normal updates and announcements.
What an infostealer actually steals (in plain English)
“Infostealer” sounds generic, but the outcomes are very specific—and costly. Think of it as a vacuum cleaner for your digital life. Once installed, it tries to collect the easiest, highest-value secrets that people store on their computers.
1) Saved passwords (browsers, apps, autofill)
If you let Chrome/Edge/Firefox remember passwords, an infostealer will often attempt to extract those credentials. That includes email, banking portals, online shopping, social media, school accounts, and work tools.
2) Browser sessions (cookies/tokens)
This is the underrated danger. Many services keep you logged in using session cookies/tokens. If those are stolen, attackers may be able to access an account without typing the password again. That’s why “revoke sessions” is a key step after infection.
3) Crypto wallets and seed exposure risk
Crypto theft is fast and often irreversible. Infostealers commonly target browser-based wallet extensions, wallet files, and anything that looks like keys, phrases, or vault data. If you’ve ever copied seed phrases to notes, screenshots, or text files (even temporarily), assume those artifacts can be discovered.
How to check for Windows updates safely (the only method you need)
The safest update workflow is boring—and that’s exactly why it works. Here’s the muscle-memory version you can share with family, students, co-workers, and staff.
-
Open Settings (press
Win+I). - Go to Windows Update.
- Click Check for updates.
- If you see a feature update (ex. 25H2), install it from there—not from ads, popups, or random downloads.
If you’re the type who prefers official documentation, Microsoft’s release health and update history pages are useful for confirming that a version label is real (like 25H2)—but the installation should still happen through Windows Update (or your organization’s managed tools like WSUS/Intune). Microsoft: 25H2 update history Microsoft Learn: 25H2 status
If you must download something: the verification checklist
Most people don’t need to download an installer. But if you do (for example, installation media), use this checklist:
-
Domain check: confirm you’re on an official Microsoft
domain (typically
microsoft.com). - Never trust: “update” or “download” sites found through ads or random pages, especially on new TLDs.
- File properties: right-click the file → Properties → look for a Digital Signatures tab. If present, validate the signer.
- When in doubt: don’t run it. Use Windows Update instead.
What to do if you clicked (or downloaded) — and what to do if you ran it
Scenario A: You only clicked the ad (no download, no run)
If you clicked but did not download or run anything, your risk is lower. Still:
- Close the tab.
- Report the ad (see reporting section below).
- Run a quick scan with Windows Security if you want peace of mind.
- Be cautious of follow-up scams (some campaigns retarget people who clicked once).
Scenario B: You downloaded a file but did not run it
Delete it immediately. Then empty Recycle Bin. Run a full antivirus scan. This is usually enough if you truly did not execute it.
Scenario C: You ran the installer (treat this as compromised)
If you ran an executable from a fake update page, assume compromise. This is the highest-risk scenario because infostealers can collect and transmit data quickly.
- Disconnect the PC from the internet (turn off Wi-Fi / unplug ethernet).
- Do not log in to email, banking, Facebook, or crypto accounts on that PC.
- From a clean device, change your email password first (email resets everything).
- Then change passwords for banking, socials, and any stored credentials; enable MFA where possible.
- Revoke sessions (“log out of all devices”) for critical accounts.
- Run a full malware scan (Windows Security + reputable second opinion scanner).
- If crypto is involved, assume wallet exposure; move funds to a new wallet generated on a clean device.
This guidance is consistent with the observed behavior of modern malvertising and infostealer campaigns, including those that abuse trusted hosting platforms and use evasion to avoid analysis. Microsoft Security Blog: malvertising → infostealers hosted on GitHub
Password reset order (the order matters)
If you’re overwhelmed, follow this priority list. It’s built around “what lets attackers reset everything else.”
- Email accounts (primary + recovery email)
- Password manager (if you use one)
- Banking / payment (cards, mobile wallets, online banking)
- Social media (Facebook, Instagram, YouTube, TikTok)
- Work/school accounts (Microsoft 365, Google Workspace, LMS)
- Crypto exchanges and wallets
Don’t forget session revocation
After changing passwords, sign out of all sessions/devices where possible. Many services have a security page listing devices. Remove anything unfamiliar. This step prevents attackers from staying logged in with stolen session tokens.
How to spot a fake Windows 11 update page (10-second test)
Use this fast checklist before you download anything:
1) The address bar test
If it’s not a Microsoft domain, it’s not Microsoft. Scammers use new TLDs and convincing words like “25h2,” “update,” and “download.”
2) The origin test
If you arrived from a Facebook ad, treat it as untrusted by default. Updates belong in Settings, not in your feed.
3) The executable test
Windows updates don’t normally ask you to run random EXEs from “update” sites. That’s an attacker pattern.
4) The pressure test
If the page pushes urgency (“update now or you’re unsafe”), slow down. Real update UX is inside Windows Update.
For IT/Admins: indicators, triage, and containment (optional)
This section is for admins, tech leads, and anyone supporting multiple machines. If you’re a regular reader, you can skip it. The details below are included so you can hand the page to your IT person without rewriting everything.
Click to expand: IOCs and technical details
The Malwarebytes report describes a flow where the threat actors use
geofencing and sandbox/VM detection to avoid analysis, and deliver a
malicious executable (reported as ms-update32.exe) to
victims.
Malwarebytes: campaign analysis
Defanged domains (do not click)
ms-25h2-download[.]pro
ms-25h2-update[.]pro
ms25h2-download[.]pro
ms25h2-update[.]pro
File name and hash (as reported)
File: ms-update32.exe
SHA-256:
c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa
Observed artifacts (as reported)
%APPDATA%\LunarApplication\
%TEMP%\[random].yiz.ps1
%TEMP%\[random].unx.ps1
Registry:
HKLM\SYSTEM\Software\Microsoft\TIP\AggregateResults
Containment checklist
- Isolate the host (network containment).
- Collect triage artifacts (browser data access, new scheduled tasks/services, suspicious PowerShell logs).
- Reset credentials from clean endpoints; prioritize email and IdP accounts.
- Enforce session revocation at the IdP/SaaS level.
- Block defanged domains at DNS/proxy; hunt across telemetry for the hash and file path patterns.
For broader context on malvertising chains delivering infostealers (including abuse of trusted platforms like GitHub), Microsoft’s Defender Threat Intelligence write-up is relevant. Microsoft Security Blog: malvertising campaign
Why malvertising keeps working (and why it’s getting worse)
Malvertising is attractive to criminals for one main reason: it scales. Instead of messaging victims one by one, attackers buy reach. They can A/B test ad creatives, target specific regions, and rotate domains quickly. Even when one link is taken down, a near-identical replacement can appear within hours.
Modern campaigns also use evasion techniques—like geofencing and sandbox detection—so security teams who “click to verify” may get redirected to something harmless, while normal users receive the payload. Malwarebytes explicitly notes these techniques in today’s campaign. Malwarebytes: evasion tactics
Microsoft has described how malvertising operations can impact massive numbers of devices and leverage trusted platforms and scripts, including PowerShell, as part of the delivery chain. Microsoft: large-scale malvertising
How to report the scam (and why reporting matters)
Reporting won’t undo harm already done, but it helps reduce reach—especially for fast-moving ad campaigns. Here’s what to do:
Report the Facebook ad
- Tap the three dots on the ad.
- Select Report ad.
- Choose a category like “Scam,” “Fraud,” or “Misleading.”
- If available, add a note: “Fake Windows 11 update / malware download.”
Report internally (work/school)
- Send the screenshot and the defanged domain to your IT/security contact.
- Ask them to check DNS/proxy logs for other clicks, and to alert staff.
Report socially (family/friends)
A quick post or group chat message can prevent a second victim. Keep it short: “Don’t install Windows updates from Facebook ads. Update only via Settings → Windows Update.”
Prevention that actually works (without turning you into a security expert)
You don’t need ten tools or advanced knowledge. You need a few habits that shut down common attack paths.
Habit #1: Treat ads as untrusted software distribution
Ads are designed to make you act. That’s the entire product. So don’t use them as a source of “updates,” “installers,” or “fixes.” If it’s legitimate, you’ll be able to find it through official channels without urgency and without clicking an ad.
Habit #2: Use a password manager (and stop saving passwords in browsers)
Browser password stores are convenient—but they are also common targets. A reputable password manager can reduce risk and makes password rotation much easier if something goes wrong.
Habit #3: Turn on MFA, but don’t stop there
MFA helps, but infostealers often aim for session theft. That’s why session revocation is critical after suspected compromise. If your accounts support it, prefer stronger MFA methods (authenticator apps or security keys) over SMS.
Habit #4: Keep crypto separated
If you hold meaningful crypto value, consider separating your wallet environment: use a hardware wallet, keep seed phrases offline, and avoid managing high-value wallets on devices used for random downloads or heavy browsing.
Habit #5: Make Windows Update the only update ritual
For most users, Windows Update is the single source of truth. If you build that habit, “fake update” scams lose their power.
FAQ (People Also Ask)
Can Windows 11 updates come from Facebook ads?
Practically, no. The normal, safe path is Windows Update inside Settings. Ads can link anywhere—even fake pages. Use Settings → Windows Update for updates.
Is Windows 11 25H2 real, or is it a scam label?
Windows 11 version 25H2 is real, and Microsoft documents it in official update and release health pages. Scammers use real labels to make fake pages feel legitimate. Microsoft: 25H2 documentation
What’s an infostealer?
An infostealer is malware designed to steal information—especially saved passwords, browser sessions, and financial or crypto data— and send it to attackers.
If I changed my password, am I safe?
Changing passwords is important, but you should also revoke sessions (“log out of all devices”) because stolen browser sessions can keep attackers logged in. If you ran the malware, consider the device compromised until cleaned.
How do I know if my PC is infected?
There may be no obvious signs. That’s why scans and account hardening matter. If you ran an unknown EXE from a fake update page, treat it as infection and respond accordingly.
What should schools and offices do to protect staff?
Push a one-sentence policy: “No updates from ads.” Block known malicious domains at DNS/proxy, train staff to check the address bar, and require password manager + MFA for critical accounts.
Sources (primary references)
- Malwarebytes (Feb 20, 2026): Facebook ads spreading fake Windows 11 downloads that steal passwords and crypto wallets Read
- Microsoft Security Blog (Mar 6, 2025): Malvertising campaign leading to infostealers hosted on GitHub Read
- Microsoft documentation: Windows 11, version 25H2 (enablement package / release health) KB • Release Health