Attackers ran paid Facebook ads that mimicked official Microsoft Windows 11 update promotions and redirected victims to near-perfect counterfeit download pages that delivered a malicious 75 MB installer (ms-update32.exe) hosted on GitHub which installs an Electron-based LunarApplication to harvest saved passwords, browser sessions, and cryptocurrency wallet data. The campaign used geofencing and sandbox-detection to avoid automated analysis, employed obfuscated PowerShell and process injection for persistence and stealth, and leveraged Facebook Pixels to track successful victims in real time. #ms-update32.exe #LunarApplication #Windows11 #Microsoft #FacebookAds
Keypoints
- Attackers used paid Facebook ads styled as Microsoft promotions to lure users to fake Windows 11 download pages.
- Visiting the fake pages can download a 75 MB installer (ms-update32.exe) served from raw.githubusercontent.com over HTTPS, bypassing some browser warnings.
- The installer deploys an Electron-based application named LunarApplication and runs obfuscated PowerShell scripts to collect browser credentials, session cookies, and crypto wallet data.
- The campaign uses geofencing and sandbox/VM detection to redirect data-center or analysis traffic to benign pages, limiting detection by automated systems.
- Persistence and stealth are achieved by writing a large binary blob to HKEY_LOCAL_MACHINESYSTEMSoftwareMicrosoftTIPAggregateResults and performing process injection; temporary files are deleted and reboots may be triggered.
- Operators ran parallel ad campaigns and separate phishing domains with distinct Facebook Pixel and campaign IDs to maintain redundancy and track conversions.
MITRE Techniques
- [T1497 ] Virtualization/Sandbox Evasion – The installer checks for virtual machines, debuggers, and analysis tools and stops if detected (‘the installer checks whether it is being watched. It looks for virtual machine environments, debugger software, and analysis tools. If it finds any of them, it stops.’)
- [T1566 ] Phishing – Social-engineering via paid Facebook ads that impersonate Microsoft to deliver a malicious download (‘a Facebook ad…promotes what appears to be the latest Windows 11 update.’)
- [T1036 ] Masquerading – Fake site and application mimic legitimate Microsoft branding and common app frameworks to blend in (‘site that looks almost identical to Microsoft’s real Software Download page…logo, layout, fonts, and even the legal text in the footer are copied.’)
- [T1055 ] Process Injection – Malware creates processes in a suspended state, injects code, and resumes execution to evade detection (‘creates Windows processes in a suspended state, injects code into them, and resumes execution.’)
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence via writing a large binary blob to a legitimate registry path under HKLM (‘writes a large binary blob to the Windows registry under: HKEY_LOCAL_MACHINESYSTEMSoftwareMicrosoftTIPAggregateResults.’)
- [T1059.001 ] PowerShell – Execution of obfuscated PowerShell scripts with unrestricted execution policy to run payload components (‘two obfuscated PowerShell scripts with randomised filenames are written to the %TEMP% folder and executed…powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -‘)
- [T1027 ] Obfuscated Files or Information – Use of RC4, HC-128, XOR encoding, and FNV hashing for API resolution to hinder static analysis (‘The malware uses multiple encryption and obfuscation techniques, including RC4, HC-128, XOR encoding, and FNV hashing for API resolution.’)
- [T1555.003 ] Credentials from Web Browsers – Targeting and exfiltration of saved passwords, session cookies, and browser credential stores (‘silently steals saved passwords, browser sessions, and cryptocurrency wallet data.’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Using HTTPS and a trusted hosting service (GitHub) to deliver the payload so browsers do not flag it (‘the file is hosted on GitHub…the download arrives over HTTPS with a valid security certificate.’)
Indicators of Compromise
- [File Hash ] ms-update32.exe payload – c634838f255e0a691f8be3eab45f2015f7f3572fba2124142cf9fe1d227416aa
- [Domains ] phishing download sites – ms-25h2-download[.]pro, ms-25h2-update[.]pro (also ms25h2-download[.]pro and ms25h2-update[.]pro)
- [URL ] payload delivery – raw.githubusercontent.com/preconfigured/dl/refs/heads/main/ms-update32.exe (GitHub-hosted payload over HTTPS)
- [File Paths ] installed components and temp scripts – C:UsersAppDataRoamingLunarApplication, C:UsersAppDataLocalTemp[random].yiz.ps1 (and [random].unx.ps1)
- [Registry Key ] persistence artifact – HKEY_LOCAL_MACHINESYSTEMSoftwareMicrosoftTIPAggregateResults (large binary data used for persistence)
- [Facebook Advertising ] tracking and infrastructure – Pixel ID 1483936789828513, Pixel ID 955896793066177 (Campaign ID 52530946232510 and Campaign ID 6984509026382)