Introduction

A sophisticated malware campaign has emerged [1] [4], exploiting the popularity of the AI-powered video generation platform Kling AI, developed by Kuaishou [7]. This platform has gained approximately 6 million users since its launch in June 2024 [2] [4]. Cybercriminals are capitalizing on this popularity by creating deceptive Facebook ads and counterfeit websites that closely mimic Kling AI’s official site, impacting millions of users globally [5].

Description

A sophisticated malware campaign has emerged [1] [4], exploiting the popularity of the AI-powered video generation platform Kling AI, developed by Kuaishou [7], which has gained approximately 6 million users since its launch in June 2024 [2] [4] [9]. Cybercriminals are leveraging this popularity by creating deceptive Facebook ads and counterfeit websites that closely mimic Kling AI’s official site. These fraudulent ads and sites, including domains like “klingaimedia.com” and “klingaistudio.com,” have impacted over 22 million users globally, enticing individuals to submit text prompts or upload images under the guise of accessing AI-generated media.

Upon submission, victims receive a download link for what is purported to be AI-generated content. However, these downloads are actually ZIP files containing a malware loader disguised as common media formats [2], utilizing filename masquerading techniques and Hangul Filler characters to obscure their true nature. For instance, filenames may appear as “GeneratedImage202597607092.jpg” or “maliciousfile.mp4,” while the actual file extension is often “exe,” making the malicious files less visible in standard file dialogs.

Once executed, the malware installs itself on the user’s system and activates a .NET-based loader [7], with some variants compiled using Native AOT to enhance stealth and evade detection by security tools. This loader incorporates advanced anti-analysis features, scanning for 19 different analysis applications and virtual environments. If none are detected [2] [8], it modifies the registry for persistence through run keys and employs stealth techniques, including self-deletion after execution [9].

The loader injects a second-stage payload into legitimate system processes [2] [3] [4] [8], maintaining execution through a self-restarting batch script. This payload is identified as the PureHVNC remote access trojan (RAT), which connects the compromised system to an external command center [7], enabling full remote control and facilitating data theft. The RAT specifically targets over 50 browser extensions linked to popular cryptocurrency wallets such as MetaMask, Phantom [2] [4], and Trust Wallet [2] [4], as well as monitoring standalone applications like Telegram and Ledger Live [2]. A plugin named PluginWindowNotify captures screenshots when these sensitive applications are detected in the foreground [1], monitoring for specific window captions [1]. The malware can operate stealthily [5], allowing attackers to monitor user activity [5] [7], capture keystrokes [5], and take control of webcams and microphones [5], raising serious concerns about identity theft and the misuse of personal information [5].

The campaign exhibits signs of global reach [1], with a high concentration of victims reported across multiple regions, particularly in Asia [2]. Distinct campaign IDs and varying tactics indicate ongoing refinement by attackers [4], with notable involvement from Vietnamese threat actors, evidenced by the presence of Vietnamese debug messages and local phone numbers, suggesting a history with similar Facebook malvertising strategies [1]. The infection process begins when users click the “Generate” button on the fake AI website [6] [9], leading to a simulated processing period before presenting a download message that mimics legitimate platforms [9]. The malware’s configuration strings indicate stealth and persistence capabilities [9], demonstrating how attackers adapt to exploit current technology trends [6].

To combat this threat [5], users are encouraged to adopt a proactive approach to online safety [5], including recognizing signs of fraudulent ads [5], employing robust security measures like antivirus software [5], and regularly updating their systems [5]. Social media platforms must also enhance monitoring and verification processes for advertisements to reduce the prevalence of fake ads [5]. Users are advised to exercise caution with sponsored ads and verify sources before downloading files [7]. Indicators of Compromise include SHA-256 hashes for stage 1 loaders and the PureHVNC RAT [3], as well as specific domains for fake Kling AI websites and URLs for Facebook malvertising pages [3]. Command and Control servers associated with the campaign have been identified by their IP addresses [3].

Conclusion

The malware campaign targeting Kling AI users highlights the evolving tactics of cybercriminals who exploit popular platforms to reach a broad audience. The global impact [4], particularly in Asia [2], underscores the need for heightened vigilance and improved security measures. Users must remain cautious of online threats, while social media platforms should enhance their ad monitoring systems. As technology continues to advance, both users and platforms must adapt to mitigate the risks posed by such sophisticated cyber threats.

References

[1] https://securityonline.info/ai-scam-alert-fake-kling-ai-sites-deploy-infostealer-hide-executables/
[2] https://trustcrypt.com/cybercriminals-replicate-kling-ai-to-deploy-infostealer-malware/
[3] https://www.hendryadrian.com/the-sting-of-fake-kling-facebook-malvertising-lures-victims-to-fake-ai-generation-website/
[4] https://franetic.com/cybercriminals-imitate-kling-ai-to-spread-infostealer-malware/
[5] https://cloudindustryreview.com/fake-kling-ai-facebook-ads-spread-rat-malware-to-over-22-million-users/
[6] https://cybermaterial.com/fake-kling-ai-sites-spread-malware-to-users/
[7] https://hackread.com/scammers-use-fake-kling-ai-ads-to-spread-malware/
[8] https://www.infosecurity-magazine.com/news/cyber-criminals-mimic-kling-ai/
[9] https://cybersecuritynews.com/hackers-created-fake-version-of-ai-tool/