A sophisticated phishing campaign has created counterfeit versions of the popular Kling AI platform. Kling AI is an image generation service with over six million users since June 2024. This campaign aimed to deliver dangerous malware to many of its unsuspecting online users. It cleverly exploited the growing general popularity of new AI-powered media creation tools. Attackers meticulously replicated the legitimate Kling AI service’s appearance and also its functionality. This created a nearly indistinguishable user experience that effectively concealed its malicious true intent. The attack used about 70 fake Facebook pages and many promoted advertisement posts. These directed users to convincing spoof websites like “klingaimedia.com” and “klingaistudio.com.” The advertisements appeared legitimate employing graphics consistent with genuine AI generation services.
When visitors accessed these counterfeit pages they were prompted to upload their own content.
This process mimicked the standard workflow of legitimate generative AI online platforms. Check Point security researchers later identified this widespread and dangerous malware delivery campaign. They began tracking its unusual malware delivery patterns starting in early part of 2025. Their analysis revealed that once users submitted content for fake “AI processing” on sites. They were then presented with a download link purportedly containing their AI-generated media. However instead of receiving the promised AI media victims downloaded files containing sophisticated malware. The campaign had global reach with particularly high victim concentrations observed throughout Asia.
Threat actors mimicked Kling AI driving traffic to fake sites via counterfeit Facebook ads.
The complex infection chain employed several very deceptive techniques to bypass user security awareness. One such technique was filename masquerading making executables appear as innocent media output files. The attackers ingeniously used Hangul Filler characters to extend filenames to many bytes. This pushed the actual file extension like “.exe” far right often not visible. Windows Explorer even displayed these malicious files with typical image or video icons. However they were still classified as “Application” type a detail easily missed by users. Once executed the malware performed sophisticated environment checks to avoid any analysis tools. One variant employed .NET Native AOT compilation to further complicate any malware detection efforts. The code included explicit checks for nineteen different analysis tools immediately terminating if detected.
The primary malware payload was identified by researchers as the PureHVNC Remote Access Trojan. This RAT quickly established persistence on victim systems through multiple different stealthy methods. It then deployed extensive information-stealing capabilities targeting many cryptocurrency wallet browser extensions. Over forty different cryptocurrency wallet extensions across numerous browsers were specifically targeted. Attribution evidence including Vietnamese language debug messages suggests a possible link to Vietnam. The infection process began when users clicked the “Generate” button on the fake AI website. A “YOUR FILE IS READY TO DOWNLOAD!” message appeared after a simulated processing period. The malware used “startup” and “melt” configuration parameters for persistence and also for stealth. This campaign shows how attackers adapt quickly to exploit current popular technology trends.
Reference: