A new malware campaign is spreading through sponsored posts on Facebook, using fake Windows upgrade ads to trick users into installing password-stealing software. According to a report from Malwarebytes, the ads promise free upgrades to Windows 11 and lead victims to convincing copies of official Microsoft download pages.
The campaign appears carefully designed to exploit ongoing transitions from older Windows versions. The malicious sites mimic Microsoft’s upgrade assistant pages and even include official-sounding version labels such as “25H2” to look legitimate. Users who download the installer end up with malware capable of harvesting browser sessions, stored passwords, cryptocurrency wallets, and other sensitive data.
Researchers say the malware is particularly stealthy. If the link is opened from an IP address associated with security tools or researchers, the page redirects to harmless destinations like Google. The installer may also refuse to run in virtual machines or environments that look like security sandboxes. Once installed, it hides within system files and the Windows registry to survive reboots and remain difficult to detect.
The use of paid ads to distribute malware is troubling but not unprecedented. Scam campaigns have long appeared across major social platforms, often blending in with legitimate advertising. Security experts warn that as long as malicious actors can buy ad space and target users at scale, similar attacks are likely to continue appearing.
Malwarebytes has updated its antivirus definitions to detect the threat, and other security tools—including built-in protections like Windows Defender—are expected to follow. In the meantime, users are advised to avoid downloading Windows updates from ads or unofficial links and to rely only on official Microsoft update channels.
