Fake AI video generation websites promoted via Facebook and LinkedIn ads were found to spread various malware payloads with reconnaissance and backdoor capabilities, according to Mandiant.
The campaign has been ongoing since at least mid-2024 and is tied to more than 30 websites imitating popular legitimate AI tools like Luma AI, Kling AI and Canva Dream Lab, the cybersecurity company said
in a blog post Tuesday. The threat actor behind the campaign is tracked as UNC6032 by Mandiant, which is a part of Google Cloud, and is believed to be of Vietnamese origin.
Thousands of Facebook ads, with millions of views combined, directed users to the malicious sites, along with about 10 LinkedIn ads that had an estimated 50,000 to 250,000 total impressions.
Similar to the “Noodlophile” infostealer campaign
reported earlier this month by Morphisec, UNC6032’s fake websites claimed to offer free text-to-video or image-to-video capabilities and would ultimately deliver a malicious executable disguised as an .mp4 video file in response to the user’s prompt or image upload.
"We believe the campaign described by Morphisec is conducted by the same threat group," Yash Gupta, senior manager at Mandiant Threat Defense, told SC Media. "Mandiant has observed different paths used by the threat group. Morphisec describes one of the other paths used by this group."
Multi-stage attack chain sideloads malicious DLLs
In an analysis of one UNC6032 attack, Mandiant Threat Defense found the Rust dropper, tracked as STARKVEIL, was used to ultimately deploy three final Python-based payloads after a multi-stage attack chain.
The file downloaded from the fake AI website, in this case a site spoofing Luma AI, was found to use several of the blank Braille pattern Unicode characters to separate the fake .mp4 file extension from the real .exe extension in the file name.
This use of whitespace characters, along with the default .mp4 Windows icon, tricks the user into believing the file is the AI-generated video they were expecting.
The STARKVEIL dropper needs to be executed twice to complete the attack chain – executing the file displays an error window designed to get the user to try opening the video again.
With the first execution, STARKVEIL drops its embedded files into the C:\winsystem\ directory and on the second execution, the Python Launcher py.exe is used to invoke a Python-based dropper tracked as COILHATCH.
COILHATCH decodes a first-stage Base85-encoded Python code that then combines RSA, AES, RC4 and XOR to decrypt a second stage Python bytecode, Mandiant explained. This second-stage code ultimately executes a legitimate, digitally signed executable that is used to sideload the final launcher heif.dll, which spawns additional legitimate processes for dynamic-link library (DLL) sideloading of the final stage payloads.
3 payloads establish backdoor persistence, set stage for infostealing
The final three payloads are known as GRIMPULL, XWORM and FROSTRIFT, with the latter two having both reconnaissance and backdoor capabilities, while GRIMPULL serves as a downloader to retrieve follow-on payloads.
GRIMPULL is sideloaded as avcodec-61.dll into the legitimate python.exe process and performs multiple checks to ensure it is not being run in a sandbox environment or virtual machine (VM). The downloader then connects to a command-and-control (C2) server via Tor and periodically checks for .NET payloads to decrypt and load into memory.
XWORM,
a well known remote access trojan (RAT)
also used in the Noodlophile campaign, is sideloaded as heif.dll into the legitimate pythonw.exe process. UNC6032 used XWORM to gather system information and exfiltrate it to a Telegram chat, as well as log keystrokes and receive commands from an external C2 server.
FROSTRIFT, sideloaded into the ffplay.exe process as libde265.dll, is another backdoor that also performs reconnaissance on the victim machine, targeting cryptocurrency wallets and browser extension related to password management, authentication and additional digital wallets.
This reconnaissance helps set the stage for future infostealing and follow-on attacks, potentially facilitated by payloads retrieved by the GRIMPULL downloader.
The malware also establishes persistence for its backdoors using AutoRun registry keys for XWORM and FROSTRIFT.
Mandiant noted that the UNC6032 campaign highlights an ongoing trend of threat actors leveraging the hype around generative AI for social engineering and malware distribution. Check Point Research reported
another similar campaign earlier this month, which impersonated Kling AI to spread the PureHVNC RAT malware.
In addition to AI video tools, popular large language models (LLMs) are also targeted for impersonation, as seen in a
malvertising campaign imitating DeepSeek that was reported by Malwarebytes in March.
