Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Fake Kling AI Sites Spread Malware To Users

May 21, 2025
Reading Time: 3 mins read
in Alerts
Teen Hacker Admits PowerSchool Cyberattack

A sophisticated phishing campaign has created counterfeit versions of the popular Kling AI platform. Kling AI is an image generation service with over six million users since June 2024. This campaign aimed to deliver dangerous malware to many of its unsuspecting online users. It cleverly exploited the growing general popularity of new AI-powered media creation tools. Attackers meticulously replicated the legitimate Kling AI service’s appearance and also its functionality. This created a nearly indistinguishable user experience that effectively concealed its malicious true intent. The attack used about 70 fake Facebook pages and many promoted advertisement posts. These directed users to convincing spoof websites like “klingaimedia.com” and “klingaistudio.com.” The advertisements appeared legitimate employing graphics consistent with genuine AI generation services.

When visitors accessed these counterfeit pages they were prompted to upload their own content.

This process mimicked the standard workflow of legitimate generative AI online platforms. Check Point security researchers later identified this widespread and dangerous malware delivery campaign. They began tracking its unusual malware delivery patterns starting in early part of 2025. Their analysis revealed that once users submitted content for fake “AI processing” on sites. They were then presented with a download link purportedly containing their AI-generated media. However instead of receiving the promised AI media victims downloaded files containing sophisticated malware. The campaign had global reach with particularly high victim concentrations observed throughout Asia.

Threat actors mimicked Kling AI driving traffic to fake sites via counterfeit Facebook ads.

The complex infection chain employed several very deceptive techniques to bypass user security awareness. One such technique was filename masquerading making executables appear as innocent media output files. The attackers ingeniously used Hangul Filler characters to extend filenames to many bytes. This pushed the actual file extension like “.exe” far right often not visible. Windows Explorer even displayed these malicious files with typical image or video icons. However they were still classified as “Application” type a detail easily missed by users. Once executed the malware performed sophisticated environment checks to avoid any analysis tools. One variant employed .NET Native AOT compilation to further complicate any malware detection efforts. The code included explicit checks for nineteen different analysis tools immediately terminating if detected.

The primary malware payload was identified by researchers as the PureHVNC Remote Access Trojan. This RAT quickly established persistence on victim systems through multiple different stealthy methods. It then deployed extensive information-stealing capabilities targeting many cryptocurrency wallet browser extensions. Over forty different cryptocurrency wallet extensions across numerous browsers were specifically targeted. Attribution evidence including Vietnamese language debug messages suggests a possible link to Vietnam. The infection process began when users clicked the “Generate” button on the fake AI website. A “YOUR FILE IS READY TO DOWNLOAD!” message appeared after a simulated processing period. The malware used “startup” and “melt” configuration parameters for persistence and also for stealth. This campaign shows how attackers adapt quickly to exploit current popular technology trends.

Reference:

  • Kling AI Impersonation Scam Delivers PureHVNC RAT Via Fake Websites And Ads
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMay 2025
ADVERTISEMENT

Related Posts

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

June 13, 2025
VexTrio TDS Uses Adtech To Spread Malware

VexTrio TDS Uses Adtech To Spread Malware

June 13, 2025
VexTrio TDS Uses Adtech To Spread Malware

Old Discord Links Now Lead To Malware

June 13, 2025
SmartAttack Uses Sound To Steal PC Data

SmartAttack Uses Sound To Steal PC Data

June 13, 2025
SmartAttack Uses Sound To Steal PC Data

Coordinated Brute Force Hits Tomcat Manager

June 13, 2025
SmartAttack Uses Sound To Steal PC Data

Pentest Tool TeamFiltration Hits Entra ID

June 12, 2025

Latest Alerts

Old Discord Links Now Lead To Malware

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

Coordinated Brute Force Hits Tomcat Manager

SmartAttack Uses Sound To Steal PC Data

Pentest Tool TeamFiltration Hits Entra ID

Subscribe to our newsletter

    Latest Incidents

    Cyberattack On Brussels Parliament Continues

    Swedish Broadcaster SVT Hit By DDoS

    Major Google Cloud Outage Disrupts Web

    AI Spam Hijacks Official US Vaccine Site

    DragonForce Ransomware Hits Philly Schools

    Erie Insurance Cyberattack Halts Operations

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial