Hackers Weaponize Facebook Ads with Fake Windows 11 Updates

Cybercriminals are leveraging the trust users place in their social media feeds to distribute stealthy information-stealing malware. According to a new threat intelligence report from Malwarebytes, a highly deceptive new campaign is exploiting the world’s largest social network.

“Attackers are running paid Facebook ads that look like official Microsoft promotions, then directing users to near-perfect clones of the Windows 11 download page,” the report warns.

Rather than relying on the traditional method of hiding malicious links in spam emails, this campaign targets users right in their newsfeeds.

The attack sequence begins with a completely ordinary-looking advertisement. “It looks professional, uses Microsoft branding, and promotes what appears to be the latest Windows 11 update,” the report notes.

The report highlights why this delivery method is so effective: “These are paid Facebook ads appearing alongside posts from friends and family”. Because the ads are injected into a trusted, familiar environment, “it feels like a convenient shortcut” for users who have been meaning to update their PCs.

Once a victim clicks the malicious advertisement, they are transported to a spoofed website designed to trick even vigilant users. The threat actors have painstakingly recreated the legitimate Microsoft Software Download page. The researchers note that “The logo, layout, fonts, and even the legal text in the footer are copied”.

If a victim clicks “Download Now,” they do not receive a system patch. Instead, “you get a malicious installer-one that silently steals saved passwords, browser sessions, and cryptocurrency wallet data”.

To ensure the malware bypasses standard antivirus defenses, the attackers have armored their payload. “The malware uses multiple encryption and obfuscation techniques, including RC4, HC-128, XOR encoding, and FNV hashing for API resolution”. The report adds that “These methods make static analysis more difficult” for security analysts and automated tools.

The attackers have built a resilient infrastructure to ensure their malicious ads stay active.

“The attackers ran two parallel ad campaigns, each pointing to separate phishing domains,” the report details. To track their victims and maintain their illicit marketing funnels, “Each campaign used its own Facebook Pixel ID and tracking parameters”.

This level of redundancy means that “if one domain is taken down or one ad account is suspended, the other continues running”.

The analysts conclude that “This campaign is technically polished and operationally aware”. The operators “understand how people download software and have chosen Facebook advertising as their delivery vector precisely because it reaches real users in a context where trust is high”.

To protect yourself and your organization from this threat, remember one simple rule provided by the researchers: “Windows updates come from Windows Update inside your system settings-not from a website and never from a social media ad”. Ultimately, “Microsoft does not advertise Windows updates on Facebook”.