Fake Windows ads stealing recovery phrases! Facebook pushes a "Free Upgrade to Win11" post, mimicking the official Microsoft website, making it hard to distinguish real from fake.

Hackers are using Facebook to run ads that impersonate Windows 11 updates, employing professional Microsoft branding and visuals to trick users into clicking. This leads to the installation of a malicious program called “Lunar Application,” which is designed to steal cryptocurrency wallet seed phrases and login credentials.
(Background: Beware of unofficial Windows 10 downloads containing trojans that can evade antivirus detection, which have already stolen $19,000 worth of crypto assets)
(Additional info: Kaspersky has found malicious software in popular Android and iOS apps that steal wallet seed phrases)

Table of Contents

Toggle

• Fake Ads, Real Traps: A One-Stop Scam Impersonating Microsoft Official Website
• “Lunar Application” Malicious Framework: Targeting Crypto Wallets
• Geofencing Technology: Precisely Avoiding Security Scans
• How to Protect Yourself?

Security researchers recently reported a new wave of attacks targeting cryptocurrency users spreading on Facebook. Hackers purchase ad space and run highly realistic “Free Windows 11 Upgrade” ads, using professional Microsoft branding and visuals to lure users into clicking.

Fake Ads, Real Traps: A One-Stop Scam Impersonating Microsoft Official Website

These ads are reportedly of very high quality, not only using Microsoft’s official logo and brand colors but also mimicking Microsoft’s official tone in their wording, making it difficult for average users to distinguish authenticity at first glance.

When users click the ad, they are directed to a meticulously cloned Microsoft official website. The site’s interface, layout, and even URL are deliberately disguised to lower suspicion. The site then prompts users to download a so-called “Windows 11 update package,” which is actually a carrier for malicious software.

“Lunar Application” Malicious Framework: Targeting Crypto Wallets

Once the user runs the downloaded installer, their computer becomes infected with a malicious framework called “Lunar Application.” Its core functions are designed to target cryptocurrency assets:

• Stealing Wallet Seed Phrases: Scanning stored seed phrase backups on the computer; once obtained, hackers can fully control the victim’s crypto wallets.
• Stealing Login Credentials: Extracting stored exchange account passwords and wallet app login info from browsers.
• Stealing Other Sensitive Data: Including cookies and autofill form data, which can be used for further account hijacking.

Geofencing Technology: Precisely Avoiding Security Scans

Notably, the hackers have also employed “geofencing” techniques in this attack, deliberately filtering out connection requests from data center IP addresses. This means that automated scanners and sandbox environments used by security companies will have difficulty accessing the malicious sites, significantly reducing the chances of early detection and flagging.

This approach demonstrates the hackers’ advanced technical capabilities, combining social engineering with evasion of security defenses.

How to Protect Yourself?

In the face of increasingly sophisticated attacks, cryptocurrency users should stay vigilant:

• Always download updates only from the official Microsoft website (microsoft.com): Avoid downloading software from social media ads.
• Keep seed phrases offline: Never store seed phrases digitally on your computer.
• Use hardware wallets: Store large assets in cold wallets like Ledger or Trezor.
• Regularly check browser extensions: Remove any unknown or suspicious add-ons.