Hackers Deploy Counterfeit AI Tool, Targeting 6 Million Users

A coordinated cyber threat campaign emerged, leveraging the meteoric rise of AI media generation platforms to distribute malicious payloads globally.

Security researchers at Check Point Research uncovered that a threat actor impersonated Kling AI a leading image and video synthesis tool boasting over 6 million users since its 2024 launch to orchestrate advanced malware delivery at scale.

The attackers meticulously crafted a fraudulent web presence, including counterfeit Facebook pages and paid social advertisements designed to mimic the official Kling AI branding.

Unsuspecting users were lured to a convincing spoofed website where they were encouraged to generate AI-powered images or videos in-browser.

Instead of receiving genuine media content, victims were prompted to download files purportedly in .mp4 or .jpg formats.

These files, however, were executables disguised with double extensions and obfuscated using Hangul Filler (U+3164) characters, making their true nature difficult to detect in Windows file dialogs and Explorer.

Attack Exploits Kling AI Platform Surge

Upon execution, these loaders most developed using .NET and, in advanced cases, .NET Native AOT (Ahead-Of-Time) Compilation implemented various anti-analysis techniques.

The observed loaders monitored for the presence of reverse engineering tools, such as Procmon, Wireshark, and OllyDbg, and immediately terminated if such tools were detected.

For persistence, loaders copied themselves into %APPDATA%\Local and modified the Windows Registry Run key.

Once operational, they performed remote process injection into legitimate Windows binaries (e.g., InstallUtil.exe) to further evade endpoint security solutions.

The malware campaign’s second stage, delivered post-loader execution, was predominantly the PureHVNC Remote Access Trojan (RAT).

This payload, typically obfuscated via .NET Reactor and delivered as a DLL, featured robust information-stealing capabilities.

Upon deobfuscation, analysts observed encoded configuration blobs containing command-and-control (C2) details, campaign tracking information, and embedded certificates.

The campaign IDs often included references to Kling AI and timestamps, indicating multiple sub-campaigns and ongoing threat actor testing.

Malicious Loader Conceals Infostealer

PureHVNC’s operational scope extends beyond generic credential theft. It actively scans browser storage directories for sensitive data and specifically targets a vast array of cryptocurrency wallet Chrome extensions, including MetaMask, TronLink, Binance Chain Wallet, Phantom, and over thirty others.

The RAT also monitors user activity, capturing screenshots only when “high-value” windows are identified, such as those of banks, major crypto exchanges, or payment platforms.

This selective exfiltration is driven by a hardcoded keyword list, ranging from “coinbase” and “paypal” to numerous international financial institutions.

According to the Report, Attribution evidence suggests the campaign’s origination from Vietnamese-speaking actors, consistent with previous attacks involving Facebook malvertising and infostealers.

Debug messages, web page code, and social profile claims all point to Vietnam-based operators, some of whom include local contact information in their fraudulent advertisements.

The campaign’s infection chain highlights the sophisticated abuse of social engineering, technical obfuscation, and rapid exploitation of trending AI tools.

Most fraudulent domains were short-lived, but continued discovery of similarly themed active sites underscores the campaign’s persistence and adaptability.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates