The threat group tracked as UNC6032 has been exploiting the global interest in artificial intelligence (AI) by deploying large-scale infostealer campaigns.
The campaign leverages fraudulent “AI video generator” websites, promoted through malicious ads on popular social media platforms including Facebook and LinkedIn to trick users into downloading advanced Python-based info-stealing malware.
Exploiting AI Fascination
Mandiant Threat Defense discovered that UNC6032’s well-orchestrated campaigns exploit high-profile AI tool brands such as Luma AI, Canva Dream Lab, and Kling AI to lure victims.
These fake websites are pushed aggressively through thousands of misleading ads, many originating from attacker-managed Facebook pages and compromised accounts.
The ads have collectively reached millions, with Meta removing vast numbers of these malicious assets proactively, often even before external alerts.
Research utilizing ad transparency libraries in the EU revealed that at least 30+ copycat domains have been weaponized since mid-2024.
These domains are cycled rapidly, attempting to avoid detection and account bans.
The operations are not restricted to Facebook alone; LinkedIn and possibly other platforms are also abused, broadening the attack surface and boosting the campaign’s reach.
Once a user clicks a malicious ad and lands on a fake AI website, they are prompted to engage with convincingly designed interfaces that mimic legitimate AI video or image generators.
Regardless of user input, the websites always deliver a ZIP archive containing malware typically disguised with double extensions and special Unicode whitespace to obscure the executable nature of the file.
Sophisticated Infection Chain
Upon execution, the downloaded file triggers a multi-stage infection process, beginning with a Rust-based dropper tracked as STARKVEIL.
This component deploys a suite of modular malware, including Python infostealers and .NET-based backdoors, by exploiting techniques such as DLL search order hijacking, DLL side-loading, in-memory code injection, and AutoRun registry key persistence.
Key malware families identified include:
- GRIMPULL: A .NET-based downloader with extensive anti-VM and anti-analysis mechanisms. It leverages Tor for C2 connections and loads malicious plugins into memory after decrypting and decompressing payloads.
- XWORM: A .NET backdoor featuring advanced reconnaissance, keylogging, command execution, and persistence abilities. It communicates via a bespoke binary protocol, using Telegram APIs for exfiltration and notification.
- FROSTRIFT: Another .NET infostealer, oriented towards harvesting credentials, browser extension data, and cryptocurrency wallet information. It uses GZIP-compressed Protobuf messages over TCP/SSL to interact with its C2 servers and achieves persistence via registry modifications.
All these payloads can dynamically download additional modules, facilitating further exploitation or lateral movement.
The campaign demonstrates redundant execution paths and obfuscation techniques, making detection and mitigation significantly more challenging.
The campaign, believed to have a Vietnam nexus per Google Threat Intelligence Group, has affected diverse users and industries worldwide since at least mid-2024.
The threat actors have shown the ability to adapt rapidly by rotating infrastructure, updating malware variants, and using sophisticated anti-analysis techniques.
Mandiant and Meta’s collaborative efforts have led to the takedown of numerous malicious ads, domains, and accounts.
However, the popularity of AI-themed lures and the modularity of the malware ecosystem mean such threats are likely to persist and evolve.
Organizations and end users are urged to exercise heightened vigilance when engaging with AI tools.
Always verify domains, be wary of unsolicited downloads, and deploy robust endpoint protection solutions capable of detecting fileless and modular threats.
Indicators of Compromise (IOCs)
| Category | IOC | Description |
|---|---|---|
| File (ZIP Archive) | 8863065544df546920ce6189dd3f99ab3f5d644d3d9c440667c1476174ba862b | Malicious ZIP payload |
| STARKVEIL Dropper | d3f50dc61d8c2be665a2d3933e2668448edc31546fea84517f8e61237c6d2e5d | Main dropper executable |
| XWORM DLL | a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3 | Side-loaded DLL for XWORM |
| GRIMPULL DLL | 8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc | GRIMPULL side-loaded DLL |
| FROSTRIFT DLL | dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3 | Side-loaded DLL for FROSTRIFT |
| C2 Domains | strokes.zapto[.]org:7789 ; artisanaqua[.]ddnsking[.]com:25699 ; strokes.zapto[.]org:56001 | Command and control channels |
| Fake AI Domains | lumalabsai[.]in ; klingxai[.]com ; lumaai-labs[.]com ; canvadream-lab[.]com ; luma-dreamai[.]com | Known fraudulent AI service domains |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
