Skip to content

Hackers caught using fake AI websites to spread malware

  • by
  • 3 min read

Hackers are abusing fake AI websites impersonating legitimate AI video generator tools to infect users with infostealer malware and backdoors around the world. The campaign is being run by a Vietnamese hacking group dubbed UNC6032 and has been active since at least mid-2024.

The campaign was observed by security researchers at Mandiant, who claim they’ve discovered at least 30 different fake websites impersonating tools like Luma IA, Canva Dream Lab, and Kling AI, among others. The sites are being promoted via a network of over 120 misleading social media ads reaching millions globally, including over 2.3 million in the European Union alone.

Once the visitor generates their video, they’re provided the result as a downloadable ZIP file. This ZIP file then uses a double extension file, which looks like an MP4 video but is actually an executable that relies on DLL side-loading, to deliver a Rust-based malware dropper called Starkveil. The loader then executes the Coilhatch launcher, deploying XWorm and Forstrift backdoors along with Grimpull.

This is an image of fake ai website ads facebook
Ads for fake AI video generation websites on Facebook. | Source: Mandiant.

XWorm and Frostrift collect system information, including but not limited to usernames, OS details, hardware IDs and identifiers, and the anti-virus program running on the system. XWorm specifically can also log keystrokes, while Frostrift checks for specific messaging apps, browsers, and browser extensions to steal data.

Since the ads are run on popular social media platforms, including Facebook and LinkedIn, the target audience for this malware goes beyond typical graphics designers or video editors looking to offload some of their work to AI. Any unsuspecting user wanting to try out a trending AI content generation tool can fall victim to the attack.

The best way to avoid such infections is to cross-check the URLs of the website you’re using. You should also prevent clicking on sponsored links or ads that appear in Google searches, as attackers have been known to show legitimate URLs but redirect a user to a fake website anyway. Enabling file extensions in Windows is also a good way to quickly checking whether a file is actually what it appears to be instead of being a hidden double-extension executable.

In the News: OneDrive bug exposes your storage to third-party apps

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

How to download print google calendar? | candid. Technology

Chinese hackers are using Google Calendar to target governments

Illustration: jmiks | shutterstock

Fake AI software installers are spreading ransomware

This is an image of router vs wifi

ASUS routers hacked in mass backdoor campaign

This is an image of dark web hacker security

Victoria’s Secret website taken down after cyber attack

This is an image of spyware malware cybersecurity privacy featured 31

Virgin Media’s O2 network exposed customer phone locations

This is an image of onedrive featured 2

OneDrive bug exposes your storage to third-party apps

>