- Not yet moving to Windows 11? You’re putting your organisation at risk
- Beyond Technology: How Cisco teams break through organizational barriers to build workplaces of the future
- Powering Future-Proofed Workplaces with Penn 1 Plaza
- Samsung is selling the popular Frame TV with a free bezel for up to $1,800 off
- Dell wants to be your one-stop shop for enterprise AI infrastructure
Cybercriminals Mimic Kling AI to Distribute Infostealer Malware
A new malware campaign disguised as the popular AI media platform Kling AI has been discovered by security researchers.
The campaign, which began in early 2025, uses fake Facebook ads and counterfeit websites to distribute an infostealer embedded in seemingly innocuous AI-generated media files.
According to Check Point Research (CPR), the operation exploits the soaring popularity of Kling AI, which has attracted 6 million users since its launch in June 2024.
By promoting fraudulent Facebook pages through sponsored posts, attackers successfully redirected users to realistic clones of Kling AI’s website. On these spoofed pages, visitors were encouraged to submit a text prompt or upload an image to generate AI media content.
Instead of receiving a genuine image or video, users downloaded a ZIP file containing an executable disguised as a media file. The filename used Hangul Filler characters to obscure its true format, appearing to be a standard JPG or MP4, while actually launching a malware loader.
Once opened, the disguised executable deployed a .NET-based loader, some versions compiled using Native AOT, leaving no intermediate language code behind, only machine code. This made reverse engineering more difficult and helped the loader evade traditional security tools.
The malware loader checked for various analysis tools and virtual environments. If none were found, it established persistence through registry modifications and injected a second-stage payload into legitimate system processes.
The final payload was identified as PureHVNC RAT, capable of remote control and data theft.
Widespread Data Theft Capabilities
The RAT exhibited extensive monitoring features, particularly targeting cryptocurrency wallets and browser-stored credentials. It specifically looked for over 50 browser extensions linked to digital wallets such as MetaMask, Phantom and Trust Wallet, and scanned numerous Chromium-based browsers, including:
- Google Chrome
- Microsoft Edge
- Brave
- Vivaldi
- Opera
- 360Browser
- QQBrowser
Additionally, it monitored standalone applications like Telegram, Ledger Live and Electrum, further expanding its reach.
The global scope of the campaign is evident, with victims reported across multiple regions, particularly in Asia.
Check Point researchers observed several campaign IDs linked to specific dates and variations, suggesting ongoing testing and refinement by the attackers.
“Facebook malvertising and distributing information stealers have been a favorite technique of Vietnamese threat actors for some time,” CPR explained.
“Researchers who analyzed other LLM/AI themed malvertising campaigns also reported the malware contained variable or field names in the Vietnamese language.”
To defend against similar threats, security experts recommend avoiding unofficial downloads, keeping antivirus software updated, enabling multi-factor authentication (MFA) and staying alert to phishing tactics.
Image credit: PJ McDonnell / Shutterstock.com
