Malicious Kling AI Facebook Advertisements Distribute RAT Malware to Over 22 Million Potential Targets

Counterfeit Facebook pages and sponsored advertisements on the social media platform have been identified as tools used to direct users to fraudulent websites impersonating Kling AI, with the intent of deceiving victims into downloading malware.

Kling AI is an advanced artificial intelligence platform designed to synthesize images and videos from textual and visual prompts. Launched in June 2024 by Kuaishou Technology, headquartered in Beijing, China, the service has garnered a user base exceeding 22 million as of April 2025.

The malicious campaign, first detected in early 2025, involves directing unsuspecting users to spoofed websites such as klingaimedia[.]com or klingaistudio[.]com, where users are prompted to create AI-generated images or videos directly in their web browsers. However, the purported services do not deliver as advertised. Instead, they offer what appear to be images or videos that, in reality, are malicious Windows executables disguised with double extensions and hidden through Hangul Filler (0xE3 0x85 0xA4) characters.

The malicious payload is packaged within a ZIP archive and functions as a loader to execute a remote access Trojan (RAT) that subsequently establishes a connection with a command-and-control (C2) server, exfiltrating sensitive data such as browser-stored credentials and session tokens. The loader is designed to evade detection by monitoring for analysis tools like Wireshark and Procmon, making modifications in the Windows Registry to ensure persistence, and injecting the secondary payload into legitimate system processes such as “CasPol.exe” or “InstallUtil.exe.”

The second-stage payload, obfuscated utilizing .NET Reactor, is identified as the PureHVNC RAT, which communicates with a remote server (185.149.232[.]197). This RAT is capable of stealing data from various cryptocurrency wallet extensions installed on Chromium-based browsers and employs a plugin framework to capture screenshots when window titles associated with banking institutions and wallets are active.

Analysis revealed over 70 promoted posts from counterfeit social media pages impersonating Kling AI, with indications that the originators of the campaign may be linked to Vietnam. The use of Facebook malvertising techniques to distribute stealing malware represents an established tactic among Vietnamese threat actors, who have increasingly capitalized on the popularity of generative AI tools.

Recent reports have highlighted that a Vietnamese cybercriminal has been leveraging imitation AI-powered tools as bait for users to unknowingly download information-stealing malware known as Noodlophile. Check Point states, “This campaign, which impersonated Kling AI through fraudulent advertisements and deceptive websites, exemplifies the combination of social engineering with sophisticated malware to infiltrate users’ systems and access their personal data.”

This operation is reflective of a broader trend of increasingly sophisticated social media-based attacks employing tactics ranging from file masquerading to remote access and data theft. Recent coverage from The Wall Street Journal noted that Meta is grappling with a surge of scams inundating Facebook and Instagram, encompassing a spectrum of schemes, from romance baiting to dubious bargain offers and fraudulent giveaways, predominantly operated from regions including China, Sri Lanka, Vietnam, and the Philippines.

In parallel, deceptive job advertisements on platforms like Telegram, Facebook, and others are increasingly being used to lure young individuals in Indonesia into exploitative situations, forcing them to engage in investment scams and defraud victims worldwide.