Full Report
Hackers likely based in Vietnam advertised websites offering AI-powered video generation tools, according to Google's Mandiant unit, and then used the sites to spread infostealers and other malware.
Analysis Summary
# Threat Actor: UNC6032
## Attribution & Identity
* **Identification:** Threat group tracked by Mandiant, tagged as UNC6032.
* **Known Aliases/Associations:** Associated with previous assessments by Facebook and Morphisec regarding campaigns weaponizing interest in AI video generation tools.
* **Attribution:** Believed to be based in Vietnam.
## Activity Summary
* UNC6032 is conducting a widespread campaign leveraging fake, cutting-edge AI video generator websites to distribute malware.
* The campaign has been active since at least November (tracked by Mandiant), and ongoing since the middle of 2024, impacting people globally.
* Victims are lured via sophisticated malvertising campaigns on social media platforms (Facebook, LinkedIn) promoting these fraudulent sites.
* The group utilizes compromised accounts and newly created Facebook pages to publish promotional ads.
* The campaign rotates domains frequently to evade detection.
## Tactics, Techniques & Procedures
* **Initial Access:** Malvertising via social media ads promoting fraudulent websites masquerading as legitimate AI video generators (e.g., Luma AI, Canva Dream Lab, Kling AI).
* **Execution:** Once a user interacts with the fake site and provides a prompt, they are served a file containing malware.
* **Persistence/Defense Evasion:** Malware performs reconnaissance on the victim's environment, checking for installed anti-virus tools, and gathering system details (time zone, camera presence).
* **Exfiltration:** The observed outcome includes the exfiltration of login credentials, cookies, credit card data, and Facebook information, potentially via the Telegram API.
## Targeting
* **Sectors:** General audience interested in new AI tools; posing a threat to both individual users and organizations.
* **Geography:** Global impact observed, with specific ad campaigns tracked in the U.S., Europe (EU reaching 2.3 million users via Facebook ads), and Australia.
* **Victims:** Anyone tempted by "the latest AI tool."
## Tools & Infrastructure
* **Malware Families Used:** STARKVEIL (an infostealer designed to steal data and create backdoors).
* **Infrastructure:** A network of fraudulent websites designed to mimic legitimate AI video generation platforms. They use malicious ads placed on social media platforms (Facebook, LinkedIn). No specific C2 domains or IPs were explicitly defanged in the summary.
## Implications
* This campaign effectively exploits high public interest in generative AI technology for broad-scale initial compromise.
* The success rate suggested by the reach (millions of users across platforms) indicates a significant, ongoing threat, particularly targeting credential and financial data theft.
* The use of legitimate social media platforms (via malvertising and compromised accounts) bypasses traditional perimeter defenses, making this an effective vector against unsophisticated users.
## Mitigations
* Users should exercise extreme caution when downloading or installing software linked from social media advertisements, especially for trendy new technologies like AI tools.
* Organizations should ensure robust endpoint protection is in place to detect and prevent the execution of infostealers like STARKVEIL.
* Implement credential monitoring and MFA to limit the effectiveness of stolen login credentials and cookies.
* Security teams should proactively monitor for similar malvertising campaigns targeting employees on social media platforms.