A brand new malware marketing campaign disguised as the favored AI media platform Kling AI has been found by safety researchers.
The marketing campaign, which started in early 2025, makes use of pretend Fb adverts and counterfeit web sites to distribute an infostealer embedded in seemingly innocuous AI-generated media recordsdata.
In line with Verify Level Analysis (CPR), the operation exploits the hovering recognition of Kling AI, which has attracted 6 million customers since its launch in June 2024.
By selling fraudulent Fb pages by sponsored posts, attackers efficiently redirected customers to sensible clones of Kling AI’s web site. On these spoofed pages, guests have been inspired to submit a textual content immediate or add a picture to generate AI media content material.
As a substitute of receiving a real picture or video, customers downloaded a ZIP file containing an executable disguised as a media file. The filename used Hangul Filler characters to obscure its true format, showing to be a normal JPG or MP4, whereas truly launching a malware loader.
As soon as opened, the disguised executable deployed a .NET-based loader, some variations compiled utilizing Native AOT, leaving no intermediate language code behind, solely machine code. This made reverse engineering harder and helped the loader evade conventional safety instruments.
The malware loader checked for numerous evaluation instruments and digital environments. If none have been discovered, it established persistence by registry modifications and injected a second-stage payload into reputable system processes.
The ultimate payload was recognized as PureHVNC RAT, able to distant management and information theft.
Widespread Information Theft Capabilities
The RAT exhibited in depth monitoring options, notably concentrating on cryptocurrency wallets and browser-stored credentials. It particularly appeared for over 50 browser extensions linked to digital wallets corresponding to MetaMask, Phantom and Belief Pockets, and scanned quite a few Chromium-based browsers, together with:
- Google Chrome
- Microsoft Edge
- Courageous
- Vivaldi
- Opera
- 360Browser
- QQBrowser
Moreover, it monitored standalone functions like Telegram, Ledger Reside and Electrum, additional increasing its attain.
The worldwide scope of the marketing campaign is obvious, with victims reported throughout a number of areas, notably in Asia.
Verify Level researchers noticed a number of marketing campaign IDs linked to particular dates and variations, suggesting ongoing testing and refinement by the attackers.
“Fb malvertising and distributing info stealers have been a favourite strategy of Vietnamese risk actors for a while,” CPR defined.
“Researchers who analyzed different LLM/AI themed malvertising campaigns additionally reported the malware contained variable or subject names within the Vietnamese language.”
To defend towards related threats, safety specialists advocate avoiding unofficial downloads, protecting antivirus software program up to date, enabling multi-factor authentication (MFA) and staying alert to phishing techniques.
Picture credit score: PJ McDonnell / Shutterstock.com
