Full Report
A Vietnam-based group has spread thousands of advertisements, fake websites and social media posts promising access to popular prompt-to-video AI generation tools, delivering infostealers and backdoors instead. The post Mandiant flags fake AI video generators laced with malware appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6032
## Attribution & Identity
* **Attribution:** Vietnam-based group.
* **Aliases:** Tracked by Mandiant and Google Cloud as UNC6032.
## Activity Summary
UNC6032 is executing a campaign that leverages the public interest in emergent AI video generation tools (such as Luma AI, Canva Dream Lab, and Kling AI) as a social engineering lure. Since mid-2024, the group has distributed thousands of advertisements, created fake websites, and posted on social media platforms (including Facebook and LinkedIn) promising access to these tools. These lures direct victims to phishing pages that ultimately deploy malware onto their systems. The volume of advertising suggests the campaign has reached millions of users.
## Tactics, Techniques & Procedures
- **Social Engineering:** Exploiting the mainstream trend of AI video generation tools as a lure.
- **Malicious Advertising/Phishing:** Using advertisements and fake websites to deploy malware.
- **Malware deployment:** Installing infostealers and backdoors on victim devices.
## Targeting
* **Sectors:** Wide range of industries (not specified explicitly, but implied by the wide geographical and industry reach).
* **Geography:** Wide range of geographic areas.
* **Victims:** General users interested in AI video tools; compromised parties had credentials, cookies, credit card data, and Facebook information stolen.
## Tools & Infrastructure
* **Malware families used:**
* Infostealers
* Backdoors
* **Infrastructure (C2, domains, IPs):** Thousands of advertisements, fake websites, and social media posts used as delivery mechanisms. (Specific C2/IPs not detailed in the provided context).
## Implications
UNC6032 is effectively weaponizing a current, high-interest technological trend (AI video generation) to facilitate commodity cybercrime, specifically data theft. The scale (thousands of ads reaching millions of users) and the use of high-visibility platforms (LinkedIn, Facebook) indicate an aggressive reach strategy targeting a broad base of users, potentially including less technically sophisticated individuals drawn in by the hype.
## Mitigations
- Exercise extreme caution when downloading software or accessing services advertised via general social media or search engine results related to hyped technology trends like new AI tools.
- Organizations should remain vigilant regarding credential exposure, as login data and cookies are reported targets of the deployed infostealers.
- Monitor networks for unauthorized installation of infostealers and backdoors originating from user-initiated downloads related to appealing software lures.