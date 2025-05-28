A hacking group allegedly from Vietnam has been leveraging social media ads promoting generative AI tools to distribute malware since at least mid-2024, according to Google Cloud-owned Mandiant. On May 27, Google Cloud released a new report detailing the findings of a Mandiant Threat Defense investigation initiated in November 2024. The malicious campaign, which began at least as early as mid-2024, leverages the interest in AI tools, particularly AI-powered video-generating services, to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. The campaign was attributed to a group tracked as UNC6032, which the Google Threat Intelligence Group (GTIG) assessed as having a connection to Vietnam. Findings from this report align with a May 8 Morphisec report on Noodlophile Stealer, a newly discovered infostealer of likely Vietnamese origin. UNC6032’sTypical Infection Chain In the campaign discovered by Mandiant, UNC6032 utilized fake ‘AI video generator’ websites to distribute malware. Here is the typical infection chain: Victims are directed to fake websites via malicious social media ads on Facebook – from either an attacker-created Facebook page or a compromised Facebook account – and LinkedIn that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab and Kling AI, among others Once they click on one of the malicious ads, they are directed to fake websites that offer purported functionalities, such as text-to-video or image-to-video generation Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure The payloads include the STARKVEIL dropper, which deploys the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader

Infection chain lifecycle. Source: Mandiant, Google Cloud

UNC6032’s Campaign Overview Mandiant has identified over 30 different websites mentioned across thousands of UNC6032-linked ads that have collectively reached millions of users. Most ads were found on Facebook and a handful on LinkedIn.

Malicious Facebook ads. Source: Mandiant, Google Cloud