Vietnam-Nexus Hackers Distribute Malware Via Fake AI Video Generators

May 28, 2025, 8:51 p.m.

Description

A hacking group with alleged ties to Vietnam has been exploiting social media ads promoting AI video generators to distribute malware since mid-2024. The campaign, discovered by Mandiant, uses fake websites mimicking legitimate AI tools to deploy payloads including Python-based infostealers and backdoors. The group, tracked as UNC6032, has reached millions of users through Facebook and LinkedIn ads, primarily targeting EU countries and the US. The malware distributed includes STARKVEIL, XWORM, FROSTRIFT, and GRIMPULL, designed for information theft and capable of downloading additional plugins. The attackers employ a multi-payload mechanism for resilience against detection. Users are advised to exercise caution when engaging with AI tools and verify website legitimacy.

External References

https://www.infosecurity-magazine.com/news/vietnam-hackers-malware-fake-ai
https://otx.alienvault.com/pulse/68374e952dc88d3f07834f91
Tags
backdoor
xworm
infostealer
vietnam
2025-05-28
noodlophile stealer
frostrift
grimpull
social media ads
starkveil
ai video generators

Date

  • Created: May 28, 2025, 5:57 p.m.
  • Published: May 28, 2025, 5:57 p.m.
  • Modified: May 28, 2025, 8:51 p.m.

Indicators

  • klingxai.com
Download all indicators here!

Attack Patterns

  • Noodlophile Stealer
  • GRIMPULL
  • FROSTRIFT
  • STARKVEIL
  • XWORM
  • UNC6032

Additional Informations

  • United States of America