Cybercriminals Replicate Kling AI to Deploy Infostealer Malware

A recent malware campaign has been identified, leveraging the widespread popularity of the AI media platform, Kling AI. Security researchers have uncovered that cybercriminals have utilized deceptive Facebook ads and counterfeit websites to distribute an infostealer malicious software embedded within what appears to be benign AI-generated media files.

Initiated in early 2025, this operation exploits the remarkable growth of Kling AI, which amassed around 6 million users following its launch in June 2024. Attackers effectively promote fraudulent Facebook pages through sponsored advertisements, steering users towards convincing replicas of Kling AI’s official website. On these spoofed sites, potential victims are prompted to either submit a text prompt or upload an image to create AI media content.

However, the supposed media downloads are, in fact, ZIP files that contain executable files disguised as common media formats. To mask the true nature of the executable, its filename incorporates Hangul Filler characters, making it appear to be a standard JPG or MP4 file, while actually initiating a malware loader once accessed.

Upon execution, this loader, constructed in .NET, employs Native AOT compilation, leaving no intermediate language code and only machine code. This complicates reverse engineering efforts, allowing it to bypass traditional security tools effectively. The loader begins by scanning for various analysis tools and virtual environments. If such tools are absent, it creates persistence by modifying the registry and subsequently injecting a second-stage payload into legitimate system processes.

The primary payload, identified as PureHVNC RAT, offers cybercriminals comprehensive remote control and data exfiltration capabilities. This RAT (Remote Access Trojan) possesses extensive monitoring features, specifically designed to target cryptocurrency wallets, as well as browser-stored credentials. It actively seeks out over 50 browser extensions commonly associated with digital wallets, including MetaMask, Phantom, and Trust Wallet, while scanning various Chromium-based browsers, such as:

– Google Chrome
– Microsoft Edge
– Brave
– Vivaldi
– Opera
– 360Browser
– QQBrowser

Additionally, the RAT monitors standalone applications, including Telegram, Ledger Live, and Electrum, thereby broadening its data collection scope.

The campaign’s global impact is significant, with reported victims spread across multiple regions, notably in Asia. Security analysts have linked several campaign IDs to specific dates and variations, indicating continuous testing and adaptation by the attackers.

Using Facebook for malvertising and distributing information-stealing malware has become increasingly common among Vietnamese threat actors, as highlighted by research findings. Analysts investigating similar campaigns themed around large language models (LLMs) and AI have noted that the malware contains identifiers in the Vietnamese language, further affirming these origins.

In light of such developments, experts strongly advise against downloading software from unofficial sources, ensuring antivirus programs are updated, enabling multi-factor authentication (MFA), and remaining vigilant against phishing attempts. These proactive measures are essential for mitigating the risks posed by evolving cyber threats.