Cybercriminals distribute cryptocurrency‑theft malware via Facebook advertisements
Hackers post Windows 11 update ads on Facebook using authentic‑looking Microsoft branding. Clicking opens a cloned Microsoft site and downloads a malicious installer from GitHub with a valid TLS certificate. The campaign employs geofencing to target regular home or office IPs and bypass automated scanners. The installer creates a LunarApplication folder, copying the name of the crypto tool “Lunar” to look legitimate. It harvests saved passwords, browser sessions, crypto wallet files and seed phrases, sending them to the attackers. Built‑in evasion checks for virtual machines and analysis tools to avoid detection before it runs. Similar Facebook ad scams have used Pi2Day promotions and fake TradingView Premium offers via verified YouTube and Google accounts. Victims are sent to phishing pages promising free tokens or airdrops in exchange for recovery phrases. Crypto scams cost billions; Chainalysis reported $17 billion losses in 2025 and millions of credentials were stolen.























