Counterfeit Fb pages and sponsored adverts on the social media platform are being employed to direct customers to pretend web sites masquerading as Kling AI with the aim of tricking victims into downloading malware.
Kling AI is a man-made intelligence (AI)-powered platform to synthesize pictures and movies from textual content and picture prompts. Launched in June 2024, it is developed by Kuaishou Expertise, which is headquartered in Beijing, China. As of April 2025, the service has a person base of greater than 22 million, per information from the corporate.
“The assault used pretend Fb pages and adverts to distribute a malicious file which in the end led to the execution of a distant entry Trojan (RAT), granting attackers distant management of the sufferer’s system and the power to steal delicate information,” Verify Level stated.
First detected in early 2025, the marketing campaign leads unsuspecting customers to a spoofed web site equivalent to klingaimedia[.]com or klingaistudio[.]com, the place they’re requested to create AI-generated pictures or movies straight within the browser.
Nevertheless, the web site doesn’t generate the multimedia rely as marketed. Quite, it affords the choice to a purported picture or video that, in actuality, is a malicious Home windows executable hidden utilizing double extensions and Hangul Filler (0xE3 0x85 0xA4) characters.
The payload is included in a ZIP archive and acts as a loader to launch a distant entry trojan and a stealer that then establishes contact with a command-and-control (C2) server and exfiltrates browser-stored credentials, session tokens, and different delicate information.
The loader, apart from monitoring for evaluation instruments equivalent to Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, and Fiddler, makes Home windows Registry modifications to arrange persistence and launches the second-stage by injecting it right into a legit system course of like “CasPol.exe” or “InstallUtil.exe” to evade detection.
The second-stage payload, obfuscated utilizing .NET Reactor, is the PureHVNC RAT that contacts a distant server (185.149.232[.]197) and comes with capabilities to steal information from a number of cryptocurrency pockets extensions put in on Chromium-based browsers. PureHVNC additionally adopts a plugin-based method to seize screenshots when window titles matching banks and wallets are opened.
Verify Level stated it recognized a minimum of 70 promoted posts from pretend social media pages impersonating Kling AI. It is at the moment not clear who’s behind the marketing campaign, however proof gathered from the pretend web site’s internet web page and a number of the adverts present that they might be from Vietnam.
Using Fb malvertising methods to distribute stealer malware has been a tried-and-tested tactic of Vietnamese menace actors, who’ve been more and more capitalizing on the recognition of generative AI instruments to push malware.
Earlier this month, Morphisec revealed {that a} Vietnamese menace actor has been leveraging pretend AI-powered instruments as a lure to entice customers into downloading an info stealer malware dubbed Noodlophile.
“This marketing campaign, which impersonated Kling AI by pretend adverts and misleading web sites, demonstrates how menace actors are combining social engineering with superior malware to achieve entry to customers’ programs and private information,” Verify Level stated.
“With techniques starting from file masquerading to distant entry and information theft, and indicators pointing to Vietnamese menace teams, this operation suits right into a broader development of more and more focused and complex social media-based assaults.”
The event comes as The Wall Avenue Journal reported that Meta is battling an “epidemic of scams,” with cyber criminals flooding Fb and Instagram with numerous sorts of scams starting from romance baiting to sketchy cut price adverts to pretend giveaways. Lots of the rip-off pages are operated from China, Sri Lanka, Vietnam, and the Philippines, the report added.
In line with Remainder of World, phony job adverts on Telegram, Fb, and different social media are being more and more used to lure younger Indonesians and get trafficked to rip-off compounds in Southeast Asia, from the place they’re coerced into operating funding scams and defraud victims internationally.
