News from the AI & ML world
DeeperML
@research.checkpoint.com
//
A sophisticated cyberattack campaign is exploiting the popularity of the generative AI service Kling AI to distribute malware through fake Facebook ads. Check Point Research uncovered the campaign, which began in early 2025. The attackers created convincing spoof websites mimicking Kling AI's interface, luring users with the promise of AI-generated content. These deceptive sites, promoted via at least 70 sponsored posts on fake Facebook pages, ultimately trick users into downloading malicious files.
Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT).
The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools.
ImgSrc: research.checkp
References :
Instead of delivering the promised AI-generated images or videos, the spoofed websites serve a Trojan horse. This comes in the form of a ZIP archive containing a deceptively named .exe file, designed to appear as a .jpg or .mp4 file through filename masquerading using Hangul Filler characters. When executed, this file installs a loader with anti-analysis features that disables security tools and establishes persistence on the victim's system. This initial loader is followed by a second-stage payload, which is the PureHVNC remote access trojan (RAT).
The PureHVNC RAT grants attackers remote control over the compromised system and steals sensitive data. It specifically targets browser-stored credentials and session tokens, with a focus on Chromium-based browsers and cryptocurrency wallet extensions like MetaMask and TronLink. Additionally, the RAT uses a plugin to capture screenshots when banking apps or crypto wallets are detected in the foreground. Check Point Research believes that Vietnamese threat actors are likely behind the campaign, as they have historically employed similar Facebook malvertising techniques to distribute stealer malware, capitalizing on the popularity of generative AI tools.
ImgSrc: research.checkp
Share:
References :
- hackread.com: Scammers Use Fake Kling AI Ads to Spread Malware
- Check Point Blog: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
- gbhackers.com: Malicious Hackers Create Fake AI Tool to Exploit Millions of Users
- securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
- The Hacker News: Fake Kling AI Facebook ads deliver RAT malware to over 22 million potential victims.
- blog.checkpoint.com: Exploiting the AI Boom: How Threat Actors Are Targeting Trust in Generative Platforms like Kling AI
- Virus Bulletin: Check Point's JaromÃr HoÅ™ejÅ¡Ã analyses a Facebook malvertising campaign that directs the user to a convincing spoof of Kling AI’s websitem
- securityonline.info: AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables
- Check Point Research: The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
- Security Risk Advisors: 🚩 Facebook Malvertising Campaign Impersonates Kling AI to Deliver PureHVNC Stealer via Disguised Executables
Classification:
- HashTags: #Malvertising #AI #RemoteAccessTrojan
- Company: Google, Checkpoint
- Target: Facebook users
- Product: Kling AI
- Feature: Malvertising
- Malware: Remote Access Trojan
- Type: Malware
- Severity: Major