Cybercriminals exploit AI craze with fake video generators to spread malware, warns Mandiant

Cybersecurity firm Mandiant, a subsidiary of Google, has uncovered a sophisticated malware campaign leveraging fake AI-powered video generator websites to distribute malicious software. The operation, attributed to a threat group identified as UNC6032 and believed to be based in Vietnam, has been active since mid-2024.

Researchers from the firm discovered a network of these fraudulent websites being promoted through paid advertisements on various social media platforms. This tactic allows the perpetrators to reach a wide audience eager to experiment with the latest AI technology.

"Victims are typically directed to these fake websites via malicious social media ads that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others," Mandiant researchers explained in their report. They have identified thousands of such advertisements that have reached over 2.3 million users across prominent platforms like Facebook and LinkedIn.

The campaign's reach is likely broader, with Mandiant noting incidents that have resulted in the "exfiltration of login credentials, cookies, credit card data, and Facebook information through the Telegram API."

Mandiant's report corroborates earlier findings from Facebook and security firm Morphisec, all pointing to a coordinated campaign designed to exploit the public's interest in AI tools capable of generating videos from text prompts.

Upon visiting these deceptive websites, users are prompted to download a ZIP file under the guise of accessing AI video generation services. This file contains a malware dropper named STARKVEIL, which, when executed, installs multiple malicious components designed to steal sensitive information and establish persistent access to the victim's system.

The malware components include GRIMPULL, a downloader with anti-analysis capabilities; XWORM, a backdoor facilitating keylogging and command execution; and FROSTRIFT, which targets browser extensions related to password managers and digital wallets.

Mandiant's investigation revealed that the attackers continuously rotate domains and create new ads daily to evade detection. While Meta has taken steps to remove many of these malicious ads and associated accounts, the campaign remains active, posing a significant threat to both individual users and organizations.

Mandiant's report was released on Tuesday last week, coinciding with the Google Safety Engineering Center’s inaugural Scams Summit and a broader Google advisory addressing various online scams, including customer support fraud, fake travel websites, and malicious package tracking messages.