Watch out for Facebook ads claiming to offer free Windows 11 upgrades. You might end up downloading malware.
Antivirus provider Malwarebytes is warning about Facebook ads that promise a “quick” and “free” upgrade to Windows 11. They use Microsoft’s logo to give them an air of legitimacy and urge people to click a link to download the OS.
The ads seem to prey on users stuck on Windows 10. Though Microsoft offers Windows 11 as a free upgrade, some PCs don’t meet the system requirements. As a result, millions of older PCs are still running Windows 10, even though Microsoft officially ended support for it in October.
“If you have been meaning to keep your PC current, it feels like a convenient shortcut,” Malwarebytes says of the ads.
One of the scam ads uses the name “Win 11 Pro” and remains active in Germany. Other ads are easy to spot and use unaffiliated Microsoft names such as “NC Sports – Nasc sports.”
Clicking on ads takes you to domains that look like official Microsoft pages but are actually designed to spread malware via a download link. The domains even reference 25H2, or the latest official annual release for Windows 11.
“The logo, layout, fonts, and even the legal text in the footer are copied,” Malwarebytes adds. “The only obvious difference is in the address bar. Instead of microsoft.com, you’ll see one of these lookalike domains:”
-
ms-25h2-download[.]pro
-
ms-25h2-update[.]pro
-
ms25h2-download[.]pro
-
ms25h2-update[.]pro
The malicious domains will also try to accept only real PC users. If it detects an internet visit coming from a bot or an automated check from a security researcher, the domains will redirect the traffic to Google.com. “If you pass the checks, the site downloads a file named ms-update32.exe. At 75MB, it feels like a legitimate Windows installer,” Malwarebytes says.
The download is actually hosted on a hacker-controlled GitHub page. Although the installer is dressed up to look legitimate, it’s designed to run malicious code that aims to steal saved passwords, user browser sessions, and cryptocurrency wallet data.
Facebook’s parent Meta didn’t immediately respond to a request for comment. But cybercriminals have long used ads on the social networking platform to target unsuspecting users. In the meantime, Google’s Chrome browser has begun flagging the fake Windows 11 upgrade sites as malicious domains.
Malwarebytes also notes: “Remember: Windows updates come from Windows Update inside your system settings—not from a website and never from a social media ad. Microsoft does not advertise Windows updates on Facebook.”
About Our Expert
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
-
SpaceX Teams With Local Retailers to Sell Starlink Dishes in Venezuela
-
Colorado Lawmakers Push for Age Verification at the Operating System Level
-
Trump Slams ‘Terrible’ Supreme Court Decision, Tips ‘Potentially Higher’ Tariffs
-
ATM Jackpotting Incidents Skyrocketed in 2025 With the Help of Malware
-
Supreme Court Kills Trump’s Reciprocal Tariffs. Will Companies Get Reimbursed?
-
More from Michael Kan
