The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website

May 21, 2025, 10:11 p.m.

Description

A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious files disguised as AI-generated media, which are actually executable loaders. These loaders employ advanced evasion techniques, including .NET Native AOT compilation, and deploy infostealers with extensive monitoring capabilities. The campaign has a global reach, particularly targeting users in Asia, and exploits the growing popularity of AI content generation platforms. The malware focuses on stealing credentials, session tokens, and monitoring crypto-related activities across multiple browsers and applications.

External References

https://otx.alienvault.com/pulse/682df35527d2f2da03f6cf30
Tags
malvertising
infostealer
purehvnc
facebook ads
2025-05-21
crypto theft

Date

  • Created: May 21, 2025, 3:37 p.m.
  • Published: May 21, 2025, 3:37 p.m.
  • Modified: May 21, 2025, 10:11 p.m.

Indicators

  • f89298933fed52511bb78f8f377979190e37367d72ccf4f3b81374a70362cc42
  • f5b31bd394e0a3adb6bd175207b8c3ccc51850c8f2cee1149a8421736168e13e
  • d95b3eabfe9892371cb518fd6e733d2d33d2fabb2b1df4dab650a8f8e1ea8745
  • d1b712b215612c8df5fef02b614c616a78b723bffbec6e10e32bfd0b758df41b
  • cee3f98b5f175219d025a92eddec4fd8bcaae31e6ad99321ae7c00b822063fc3
  • beeea592251a0a205b3bdb34802bd2f4f5181ee38226a05ec468a86be44e9508
  • b33e162a78b7b8e7dbbab5d1572d63814077fa524067ce79c37f52441b8bd384
  • a5baceb97a2be17fdd0c282292ebb0b5a56a555013a4c8fffcc2335c504780fb
  • 9dab2badfdae86963b2f13ce8942fe78dd66ec497f8d82dd40c0cb5bec4fb2a7
  • 839371cd5a5d66828ac9524182769371dede9606826ad7c22c3bb18fb2ee91cb
  • 732aa8ed8ca9a12f4bfc29a693ec3eba74ed1b2d00de4296180d91b86d09747b
  • 7035b5ba24146db537eedb1f05e6cad1775f9f5e81306f72422c03b288f75448
  • 699e348260ae5b60cd822325f1c4bf2c793f6f25001357856c58520a9af10987
  • 557becfcc7eccaa5a7368a6d5583404af26aadede2c345d6070e6e9fab44a641
  • 5200b27726c0be8e6f34a3920fbd5d40aeaec460169b1f3c7a174ebeee6553d9
  • 4bbaf3ececd53bc4028723e87b1669268a6fadc4d480590c2d59bb4322a17de7
  • 3fba4a0942244e9c3ad25a57a21f91b06f8732a2ca36da948ae5f0afa51dc72b
  • 39d771c12bd5da15d3fb63905df1e2c4c7c12b8f77c630a35b247c418950eafe
  • 30e26f4fd7cb0ac626950bb01e01a2c02e277727d1d3ec94286a44af262f37cf
  • 2d5e01cfacdf9f900b51b0539e0809f22ce1859eac0886866af35a2eb2dc2d42
  • 2588fdfa7417d617df2d31eddea710d0f964008abc2f4860cdff588ab9786d0a
  • 1e66ebaef295c2a32245162979d167cebad1fece51b7cdb6a6c3a1d705befa6b
  • 0c9228983fbd928ac94c057a00d744d6be4bd4c1b39d1465b7d955b7d35bf496
  • 06d9d60ddbe835abc5b16911a35732cc9b56ea9425de210961a15d465823978f
  • 185.149.232.221
  • 185.149.232.197
  • 147.135.244.43
  • www.klingai.cloud
  • www.kling-ai.tech
  • klingxai.com
  • klingx.ai
  • klingturbo.com
  • klings-ai.com
  • klingaistudio.com
  • klingaimedia.com
  • klingaieditor.com
  • kingaivideotext.com
  • kingaitext.com
  • kingaiplus.com
  • kingaimediapro.com
  • aikling.ai
  • ai-kling.com
Download all indicators here!

Attack Patterns

  • PureHVNC