Fake Facebook pages and sponsored ads on social media platforms are being employed to direct users to counterfeit websites disguised as Kling AI, with the goal of sacrificing malware downloads.
Kling AI is an AI-powered platform for combining images and videos with text and image prompts. It was launched in June 2024 and was developed by Kuaishou Technology, headquartered in Beijing, China. As of April 2025, the service has a user base of over 22 million people per company data.
“The attack used fake Facebook pages and ads to distribute malicious files, which ultimately led to the execution of a remote access trojan horse (rat), giving the attacker the ability to remote control of the victim’s system and steal sensitive data,” Checkpoint said.
First detected in early 2025, the campaign leads unsuspecting users to spoofed websites such as Klingaimedia(.)com and Klingaistudio(.)com, where they are asked to create AI-generated images or videos directly in their browsers.
However, the website does not generate advertised multimedia accounts. Rather, it actually provides the image or video option that it is a malicious Windows executable file that was hidden using double extensions and Hangul filler (0xe3 0x85 0xa4) characters.
The payload is contained in the ZIP archive and acts as a loader that launches remote access trojans and steelers, establishes contact with command and control (C2) servers, and contacts with credentials, session tokens, and other sensitive data stored in the browser.
In addition to monitoring analytical tools such as Wireshark, OllydBG, Procmon, ProceXP, Pestudio, Fiddler, etc., the loader launches the second stage by modifying the Windows registry to set persistence and injecting it into legitimate system processes such as “caspol.exe” and “installutil.exe”.
The two-stage payload obfuscated using the .NET reactor is a PureHVNC rat that contacts a remote server (185.149.232 (.) 197) and comes with the ability to steal data from several cryptocurrency wallet extensions installed in a chrome-based browser. PureHVNC also takes a plugin-based approach to capture screenshots when matching window titles for banks and wallets are opened.
Check Point said it has identified more than 70 promoted posts from fake social media pages impersonating Kling AI. It is not clear who is behind the campaign at the moment, but the evidence gathered from the web pages of fake websites and some of the ads suggest that they may be from Vietnam.
The use of the Facebook Malvertising technique to distribute Stealer Malware has been a proven tactic of Vietnamese threat actors increasingly taking advantage of the popularity of generator AI tools to push malware.
Earlier this month, Morphysec revealed that Vietnamese threat actors are leveraging fake AI-powered tools as lures to tempt users to download information steeler malware called noodles.
“The campaign, which impersonates Kling AI through fake ads and deceptive websites, demonstrates how threat actors can combine social engineering and advanced malware to access their systems and personal data,” Check Point said.
“Tactics ranging from file masquerading to remote access and data theft, as well as indications pointing to Vietnamese threat groups, this operation fits more and more broadly trends in targeted and refined social media-based attacks.”
The Wall Street Journal reported that Meta was fighting a “scam epidemic,” causing cybercriminals to flood Facebook and Instagram with a variety of types of scams, ranging from baiting romances to scribbles ads. Many of the fraud pages are run from China, Sri Lanka, Vietnam and the Philippines, the report added.
According to other worlds, fake work ads on Telegram, Facebook and other social media are increasingly used to seduce young Indonesians and be trafficked by scam compounds in Southeast Asia, from which they are forced to be invested on investment fraud and fraud victims around the world.
