Artificial Intelligence & Machine Learning
,
Cybercrime
,
Fraud Management & Cybercrime
Mandiant Says Malware Spread Through Fake AI Video Ads Seen by Millions
Online scammers are converting excitement over generative artificial intelligence into fraudulent sites that infect victims with malware, says threat intel firm Google Mandiant in a report exposing a year-long campaign to distribute infostealers and backdoors.
See Also: On Demand | Global Incident Response Report 2025
A threat actor group Mandiant tracks as Vietnam-linked UNC6032 employed thousands of deceptive ads, mainly on Facebook and LinkedIn, masquerading as legitimate AI tools like Luma AI, Canva Dream Lab and Kling AI. Attackers drove users to lookalike websites promising video generation based on text or image prompts. Users actually received a malware-laced file, not AI-generated video.
Mandiant’s analysis showed the ads reached about 2.3 million users in the European Union.
The Google-run company’s report follows similar findings by security firm Morphisec earlier this month (see: Infostealer Targets Users Via Fake AI Video Sites).
UNC6032 uses a rotating infrastructure of newly registered domains to avoid detection. New domains often go live in ads within days, or even hours, of registration. It relies on attacker-controlled and compromised Facebook accounts to publish ads. Mandiant found around 10 malicious ads on LinkedIn leading to the group’s fake site klingxai.com, with estimated impressions between 50,000 and 250,000.
The fake sites closely mimic genuine AI services, using identical logos and interfaces. A fraudulent site for Luma Dream AI Machine offered standard video generation options. When users click to generate a video, the site simulates a processing animation before presenting a download button that led to a malicious zip archive hosted on the attacker’s infrastructure. The malware known as Starkveil drops modular malware families including Grimpull, XWorm and Frostrift. These components are capable of data theft, system reconnaissance and establishing persistence.
Mandiant researchers said that Starkveil is written in Rust and uses a double-extension trick such as using displaying a .mp4 extension and hiding the .exe with invisible braille Unicode characters. Starkveil after execution extracts an embedded archive containing benign executables and its malware components. These components are injected into legitimate Windows processes and obfuscated to evade detection.
To gain persistence, the malware establishes AutoRun registry keys and uses legitimate executables to side-load malicious DLLs. Grimpull, a .net downloader used in the attack chain, uses anti-virtual machine checks and connects to command-and-control servers through the Tor network. It also includes functionality to fetch and execute additional encrypted payloads.
XWorm logs keystrokes and scans for sensitive browser extensions tied to password managers and digital wallets. It communicates with attackers over custom TCP protocols and sends exfiltrated data, including login credentials and Facebook information through the Telegram API.
Mandiant said that UNC6032 constantly updates its infrastructure. Payloads are hosted in a directory where the most recently modified file is served to users, allowing for quick iteration. The group also adjusts obfuscation techniques across payloads, potentially to avoid static detection signatures.
Meta took action against the malicious Facebook ads and domains, said Mandiant, a “significant portion” of which began last year, before the cybersecurity company alerted the social media giant of additional malicious activity. LinkedIn has also implemented transparency tools to display ad reach and targeting to help investigators analyze the scope of the exposure, it said.