Fake Facebook pages and sponsored ads on social media platforms are being employed to direct users to counterfeit websites disguised as Kling AI, with the goal of sacrificing malware downloads.
Kling AI is an AI-powered platform for combining images and videos with text and image prompts. It was launched in June 2024 and was developed by Kuaishou Technology, headquartered in Beijing, China. As of April 2025, the service has a user base of over 22 million people per company data.
“The attack used fake Facebook pages and ads to distribute malicious files, which ultimately led to the execution of a remote access trojan horse (rat), giving the attacker the ability to remote control of the victim’s system and steal sensitive data,” Checkpoint said.
First detected in early 2025, the campaign will lead unsuspecting users to spoofed websites such as Klingaimedia[.]com or klingaistudio[.]com, you will be prompted to create images or videos generated by AI directly in your browser.
However, the website does not generate advertised multimedia accounts. Rather, it actually provides the image or video option that it is a malicious Windows executable file that was hidden using double extensions and Hangul filler (0xe3 0x85 0xa4) characters.
The payload is contained in the ZIP archive and acts as a loader that launches remote access trojans and steelers, establishes contact with command and control (C2) servers, and contacts with credentials, session tokens, and other sensitive data stored in the browser.
In addition to monitoring analytical tools such as Wireshark, OllydBG, Procmon, ProceXP, Pestudio, Fiddler, etc., the loader launches the second stage by modifying the Windows registry to set persistence and injecting it into legitimate system processes such as “caspol.exe” and “installutil.exe”.
The two-stage payload obfuscated using a .NET reactor is a PureHVNC rat that contacts a remote server (185.149.232[.]197) And it comes with the ability to steal data from several cryptocurrency wallet extensions installed in Chromium-based browsers. PureHVNC also takes a plugin-based approach to capture screenshots when matching window titles for banks and wallets are opened.
Check Point said it has identified more than 70 promoted posts from fake social media pages impersonating Kling AI. It is not clear who is behind the campaign at the moment, but the evidence gathered from the web pages of fake websites and some of the ads suggest that they may be from Vietnam.
The use of the Facebook Malvertising technique to distribute Stealer Malware has been a proven tactic of Vietnamese threat actors increasingly taking advantage of the popularity of generator AI tools to push malware.
Earlier this month, Morphysec revealed that Vietnamese threat actors are leveraging fake AI-powered tools as lures to tempt users to download information steeler malware called noodles.
“The campaign, which impersonates Kling AI through fake ads and deceptive websites, demonstrates how threat actors can combine social engineering and advanced malware to access their systems and personal data,” Check Point said.
“Tactics ranging from file masquerading to remote access and data theft, as well as indications pointing to Vietnamese threat groups, this operation fits the wider trends of increasingly targeted and refined social media-based attacks.”
The Wall Street Journal reported that Meta was fighting a “scam epidemic,” causing cybercriminals to flood Facebook and Instagram with a variety of types of scams, ranging from baiting romances to scribbles ads. Many of the fraud pages are run from China, Sri Lanka, Vietnam and the Philippines, the report added.
According to other worlds, fake work ads on Telegram, Facebook and other social media are increasingly used to seduce young Indonesians and be trafficked by scam compounds in Southeast Asia, from which they are forced to be invested on investment fraud and fraud victims around the world.
Source link
