Counterfeit Fb pages and sponsored advertisements on the social media platform are being employed to direct customers to faux web sites masquerading as Kling AI with the objective of tricking victims into downloading malware.
Kling AI is a synthetic intelligence (AI)-powered platform to synthesize photographs and movies from textual content and picture prompts. Launched in June 2024, it is developed by Kuaishou Know-how, which is headquartered in Beijing, China. As of April 2025, the service has a person base of greater than 22 million, per information from the corporate.
“The assault used faux Fb pages and advertisements to distribute a malicious file which in the end led to the execution of a distant entry Trojan (RAT), granting attackers distant management of the sufferer’s system and the flexibility to steal delicate information,” Test Level stated.
First detected in early 2025, the marketing campaign leads unsuspecting customers to a spoofed web site resembling klingaimedia[.]com or klingaistudio[.]com, the place they’re requested to create AI-generated photographs or movies instantly within the browser.
Nonetheless, the web site doesn’t generate the multimedia rely as marketed. Slightly, it presents the choice to a purported picture or video that, in actuality, is a malicious Home windows executable hidden utilizing double extensions and Hangul Filler (0xE3 0x85 0xA4) characters.
The payload is included in a ZIP archive and acts as a loader to launch a distant entry trojan and a stealer that then establishes contact with a command-and-control (C2) server and exfiltrates browser-stored credentials, session tokens, and different delicate information.
The loader, in addition to monitoring for evaluation instruments resembling Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, and Fiddler, makes Home windows Registry adjustments to arrange persistence and launches the second-stage by injecting it right into a professional system course of like “CasPol.exe” or “InstallUtil.exe” to evade detection.
The second-stage payload, obfuscated utilizing .NET Reactor, is the PureHVNC RAT that contacts a distant server (185.149.232[.]197) and comes with capabilities to steal information from a number of cryptocurrency pockets extensions put in on Chromium-based browsers. PureHVNC additionally adopts a plugin-based method to seize screenshots when window titles matching banks and wallets are opened.
Test Level stated it recognized at least 70 promoted posts from faux social media pages impersonating Kling AI. It is at the moment not clear who’s behind the marketing campaign, however proof gathered from the faux web site’s net web page and among the advertisements present that they may very well be from Vietnam.
The usage of Fb malvertising strategies to distribute stealer malware has been a tried-and-tested tactic of Vietnamese risk actors, who’ve been more and more capitalizing on the recognition of generative AI instruments to push malware.
Earlier this month, Morphisec revealed {that a} Vietnamese risk actor has been leveraging faux AI-powered instruments as a lure to entice customers into downloading an info stealer malware dubbed Noodlophile.
“This marketing campaign, which impersonated Kling AI by means of faux advertisements and misleading web sites, demonstrates how risk actors are combining social engineering with superior malware to realize entry to customers’ programs and private information,” Test Level stated.
“With ways starting from file masquerading to distant entry and information theft, and indicators pointing to Vietnamese risk teams, this operation matches right into a broader pattern of more and more focused and complex social media-based assaults.”
The event comes as The Wall Avenue Journal reported that Meta is battling an “epidemic of scams,” with cyber criminals flooding Fb and Instagram with numerous sorts of scams starting from romance baiting to sketchy cut price advertisements to faux giveaways. Most of the rip-off pages are operated from China, Sri Lanka, Vietnam, and the Philippines, the report added.
In line with Remainder of World, phony job advertisements on Telegram, Fb, and different social media are being more and more used to lure younger Indonesians and get trafficked to rip-off compounds in Southeast Asia, from the place they’re coerced into working funding scams and defraud victims the world over.
