A hacking group allegedly from Vietnam has been leveraging social media ads promoting generative AI tools to distribute malware since at least mid-2024, according to Google Cloud-owned Mandiant.
On May 27, Google Cloud released a new report detailing the findings of a Mandiant Threat Defense investigation initiated in November 2024.
The malicious campaign, which began at least as early as mid-2024, leverages the interest in AI tools, particularly AI-powered video-generating services, to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors.
The campaign was attributed to a group tracked as UNC6032, which the Google Threat Intelligence Group (GTIG) assessed as having a connection to Vietnam.
Findings from this report align with a May 8 Morphisec report on Noodlophile Stealer, a newly discovered infostealer of likely Vietnamese origin.
UNC6032’sTypical Infection Chain
In the campaign discovered by Mandiant, UNC6032 utilized fake ‘AI video generator’ websites to distribute malware.
Here is the typical infection chain:
Victims are directed to fake websites via malicious social media ads on Facebook – from either an attacker-created Facebook page or a compromised Facebook account – and LinkedIn that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab and Kling AI, among others
Once they click on one of the malicious ads, they are directed to fake websites that offer purported functionalities, such as text-to-video or image-to-video generation
Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure
The payloads include the STARKVEIL dropper, which deploys the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader
UNC6032’s Campaign Overview
Mandiant has identified over 30 different websites mentioned across thousands of UNC6032-linked ads that have collectively reached millions of users. Most ads were found on Facebook and a handful on LinkedIn.
The researchers then performed further analysis of a sample of over 120 malicious Facebook ads, revealing a total reach of more than 2.3 million users across EU countries.
“It should be noted that reach does not equate to the number of victims. According to Meta, the reach of an ad is an estimated number of how many Account Center accounts saw the ad at least once,” noted the Mandiant report.
Typically, UNC6032 constantly rotates the domains mentioned in the Facebook ads, likely to avoid detection and account bans.
“We noted that once a domain is registered, it will be referenced in ads within a few days if not the same day. Moreover, most of the ads are short-lived, with new ones being created on a daily basis,” the researchers added.
On LinkedIn, they identified roughly 10 malicious ads, with a total impression estimate of 50,000 to 250,000 – with US-based viewers being the majority, followed by users in Europe and Australia. Each ad directed users to hxxps://klingxai[.]com, a domain registered on September 19, 2024. The first malicious LinkedIn ad appeared just a day later.
“We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances of success,” the researchers added.
UNC6032’s Resilience With Multi-Payload Mechanism
For all these ads, the payload downloaded is the STARKVEIL malware, which typically drops three different modular malware families (the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader), primarily designed for information theft and capable of downloading plugins to extend their functionality.
XWORM was also detected by Morphisec as one of the distributed payloads alongside Noodlophile Stealer.
The Google Cloud report provides malware analyses for STARKVEIL, XWORM, FROSTRIFT and GRIMPULL, as well as details about how they communicate with UNC6032’s command-and-control (C2) infrastructure.
Mandiant assessed that the presence of multiple, similar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked by security defenses.
“Although our investigation was limited in scope, we discovered that well-crafted fake ‘AI websites’ pose a significant threat to both organizations and individual users. These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad,” the Mandiant researchers concluded.
“The temptation to try the latest AI tool can lead to anyone becoming a victim. We advise users to exercise caution when engaging with AI tools and to verify the legitimacy of the website’s domain.”