Full Report
A Vietnam-nexus hacking group distributes infostealers and backdoors via social media ads promoting fake AI generator websites
Analysis Summary
# Threat Actor: UNC6032 (Attributed to Vietnam)
## Attribution & Identity
- **Identification:** Group tracked as **UNC6032** by Mandiant (Google Threat Intelligence Group - GTIG).
- **Attribution:** Assessed by GTIG as having a connection to **Vietnam**.
- **Associated Activity:** Findings align with a Morphisec report on **Noodlophile Stealer**, indicating likely Vietnamese origin for that malware as well.
## Activity Summary
- **Campaign Focus:** Leveraging high public interest in Generative AI tools, specifically AI-powered video-generating services, to distribute malware.
- **Timeline:** Campaigns active since at least **mid-2024**.
- **Infection Method:** Victims are directed to **fake ‘AI video generator’ websites** through malicious social media advertisements (Facebook pages/compromised accounts and LinkedIn).
- **Outcome:** Malware distribution leading to the deployment of payloads such as **Python-based infostealers** and **various backdoors**.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing via **malicious social media advertisements** (Facebook, LinkedIn) linking to fraudulent websites.
- **Execution/Persistence:** Deployment of payloads including Python-based infostealers and backdoors.
- **Specific TTPs Mentioned:**
- Weaponization of trending topics (AI video generators).
- Use of malicious advertisements for initial access.
- Deployment of Noodlophile Stealer (indirectly associated/observed).
## Targeting
- **Sectors:** Not explicitly detailed in the provided excerpt, but the reliance on broad social media advertising suggests a wide net, potentially targeting individuals or organizations interested in trending AI technology.
- **Geography:** Origin linked to **Vietnam**, but the targeting mechanism (global social media platforms) suggests international reach.
- **Victims:** Generic users interested in AI tools reachable via Facebook and LinkedIn advertisements.
## Tools & Infrastructure
- **Malware Families Used:**
- Python-based **infostealers**.
- Various **backdoors**.
- Potentially **Noodlophile Stealer** (based on correlated reporting).
- **Infrastructure (C2, domains, IPs):**
- **Fake ‘AI video generator’ websites**.
- Malicious advertisements originating from attacker-created Facebook pages or compromised Facebook accounts.
## Implications
UNC6032 demonstrates an adaptive approach by immediately weaponizing highly relevant, trending technology (Generative AI) to maximize reach via widely used social platforms. This indicates a threat actor capable of rapid pivot to capitalize on public interest, posing a significant risk for broad-scale compromise via user trust in new software trends.
## Mitigations
- Exercise extreme caution when downloading or installing software from third-party websites promoted via social media advertising, especially for trending, high-interest tools like AI generators.
- Harden endpoint security to detect and block known malware signatures, including Python-based threats.
- Implement robust network monitoring for unexplained outbound connections characteristic of backdoor activity.
- Organizations should provide user training emphasizing the risks associated with advertisements promoting compelling new technologies.