Cybersecurity experts are warning of a growing online scam that is specifically targeting users who are still running Windows 10. As confusion lingers around operating system upgrades and the end of official support, cybercriminals are exploiting that uncertainty with convincing advertisements that promise an easy path to Windows 11. Instead of delivering a legitimate upgrade, however, these ads lead unsuspecting users into downloading malware capable of stealing highly sensitive personal information.
The threat has been identified by researchers at Malwarebytes, who report that deceptive advertisements are circulating on Facebook. These ads claim to offer a “quick” and “free” upgrade to Windows 11, often using familiar branding to appear trustworthy. For users who may feel left behind or concerned about security after the end of Windows 10 support, the offer can appear both timely and legitimate.
Exploiting Windows 10 Uncertainty
Although Microsoft provides Windows 11 as a free upgrade for eligible devices, not all computers meet the system’s hardware requirements. As a result, millions of PCs worldwide continue to operate on Windows 10. With official support for the older system ending in October, many users are increasingly anxious about potential security risks or compatibility issues.
Scammers are capitalizing on that anxiety. By presenting their offer as a convenient shortcut to Windows 11, they target individuals who may already be searching for upgrade solutions. For some users, especially those with older hardware, the promise of bypassing restrictions or speeding up the upgrade process can be appealing.
However, cybersecurity researchers emphasize that legitimate Windows updates are never distributed through social media ads. Microsoft delivers operating system updates directly through its built-in Windows Update tool within system settings. Any advertisement claiming to provide a downloadable Windows installer should immediately raise suspicion.
Ads Designed to Look Official
The fraudulent advertisements are carefully crafted to mimic authentic Microsoft marketing. They feature the company’s logo and use familiar phrases such as “Upgrade to Win 11 Pro Today” to establish credibility. The layout, color schemes, and typography are designed to resemble official promotional materials.
In some cases, the ads have appeared under names like “Win 11 Pro.” Others have been posted through unrelated or questionable page names, including “NC Sports – Nasc sports.” While these inconsistencies may seem obvious upon closer inspection, many users may not notice the warning signs at first glance—especially if they are focused on the prospect of upgrading their system.
Researchers have observed that some versions of the ads have remained active in specific regions, including Germany. This suggests the campaign may be geographically targeted, further demonstrating the sophistication of the operation.
Convincing Clone Websites
Clicking on one of the ads redirects users to a website that closely imitates Microsoft’s official pages. These sites replicate logos, page layouts, font styles, and even legal disclaimers commonly found in the footer of genuine Microsoft webpages. At a superficial level, the sites appear professional and legitimate.
The most critical difference lies in the web address itself. Instead of microsoft.com, users are directed to lookalike domains such as:
- ms-25h2-download[.]pro
- ms-25h2-update[.]pro
- ms25h2-download[.]pro
- ms25h2-update[.]pro
The inclusion of “25H2” is a calculated detail. Microsoft uses similar naming conventions for its Windows release updates, making the domains appear authentic to less technical users. The subtle variations in the domain names are easy to miss, particularly for those unfamiliar with how phishing campaigns operate.
Security specialists stress that carefully checking the URL in the address bar is one of the simplest and most effective ways to avoid falling victim to such schemes.
A Malware Installer in Disguise
The deception does not end with the fake website. The attackers have built safeguards into their infrastructure to avoid detection. If the site identifies traffic from bots or automated security tools, it redirects visitors to Google.com. This tactic helps prevent cybersecurity researchers from easily analyzing the malicious content and prolongs the lifespan of the scam.
If the visitor appears to be a real user browsing from a personal computer, the site initiates a download of a file named “ms-update32.exe.” At approximately 75 megabytes in size, the file seems consistent with what users might expect from a legitimate operating system installer.
In reality, the file is malicious software. Reports indicate that it is hosted on a GitHub repository controlled by the attackers, adding another layer of disguise. Once executed, the program installs malware designed to extract sensitive information from the infected device.
The stolen data can include saved browser passwords, active browser sessions, and cryptocurrency wallet information. By hijacking browser sessions, attackers may gain access to email accounts, financial platforms, and social media profiles without needing to enter login credentials manually.
Social Media as a Distribution Channel
This campaign highlights how online advertising platforms continue to be exploited by cybercriminals. Social media ads allow highly targeted outreach, enabling scammers to reach users based on demographics, interests, and even device usage patterns. Windows 10 users searching for upgrade information are particularly vulnerable.
Meta, Facebook’s parent company, had not publicly commented on the specific campaign at the time of reporting. Meanwhile, Google’s Chrome browser has reportedly begun flagging some of the identified domains as dangerous, warning users before they proceed. However, security experts caution that blocking individual domains is only a temporary solution, as attackers can quickly register new ones.
Staying Safe from Upgrade Scams
Experts advise users to remember a simple rule: Windows updates are delivered through the system’s built-in update mechanism, not through advertisements or third-party websites. Microsoft does not promote operating system upgrades via Facebook ads.
To reduce risk, users should:
- Access updates exclusively through Windows Update in system settings.
- Carefully verify website URLs before downloading files.
- Avoid clicking on social media ads offering software downloads.
- Maintain updated antivirus and security software.
- Keep browsers current to benefit from built-in security warnings.
As long as millions of PCs continue running Windows 10, scammers are likely to keep exploiting upgrade-related confusion. The latest campaign serves as a reminder that even familiar logos and polished designs can conceal malicious intent.
