Home > Security > Security News

UNC6032 Uses Fake ‘AI Video Generator’ Ads on Facebook and LinkedIn to Spread Infostealers and Backdoors

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Active since mid-2024, this UNC6032 campaign uses deceptive social media ads to direct users toward fake AI tool websites, such as bogus versions of “Luma AI,” “Canva Dream Lab,” and “Kling AI.” 

These ads, reaching millions of users, predominantly appear on Facebook and LinkedIn, but analysts believe similar campaigns are underway on other social and ad platforms, a Mandiant Threat Defense cybersecurity report says.

Google Threat Intelligence Group (GTIG) assesses UNC6032 to have a Vietnam nexus.

Infection chain
Infection chain | Source: Mandiant

Attackers construct these fraudulent sites to closely mimic legitimate AI tools. Victims are encouraged to upload a prompt to generate a video, but regardless of their input, the site delivers a ZIP archive containing malware.

The primary malware, identified as STARKVEIL, is crafted in Rust and functions as a dropper for additional payloads, notably the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader.

Fake Facebook text-to-AI
Fake Facebook text-to-AI ads | Source: Mandiant

The campaign’s technical sophistication includes DLL side-loading, in-memory droppers, and process injection, all designed to evade detection by security products. Persistence is achieved via AutoRun registry keys, while modules like XWORM incorporate keylogging, browser extension scanning, and host reconnaissance. 

FROSTRIFT’s capabilities extend to exfiltrating sensitive data, such as login credentials, cookies, and even details from password managers and crypto wallets. Information stolen from the victim’s machine is transmitted through Telegram and Tor-based channels.

An analysis of Facebook’s Ad Library revealed more than 30 unique malicious domains, with certain ads reaching over 2.3 million users in the EU alone. 

Attackers frequently rotate domains and create short-lived ad campaigns to avoid takedowns, using both newly created and compromised Facebook accounts. LinkedIn also hosted similar attacks, with one domain, klingxai.com, responsible for up to 250,000 ad impressions.

Mandiant credited Meta’s threat detection and response teams for proactively removing many malicious ads and domains, aided by transparency initiatives like the Digital Services Act’s Ad Library.

Add a Comment
Related
CFOs in the Crosshairs as Sophisticated NetBird Spear-Phishing Campaign Unfolds
A hacker trying to do phishing attack
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
Online Shopping Photo
Victoria’s Secret Takes Website Offline to Contain Security Incident
Hacker accessing major telecons in the US
APT41 Leveraging Google Calendar for C2, Distributes TOUGHPROGRESS Malware
Malicious WordPress Plugin Targets Windows Users with Fake Java Update Pop-Up
Most Popular
Karate Kid: Legends
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
CFOs in the Crosshairs as Sophisticated NetBird Spear-Phishing Campaign Unfolds
A hacker trying to do phishing attack
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
Grey's Anatomy
Grey’s Anatomy Season 22: What you Should know About Shonda Rhimes’ Returning Medical Drama
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
CFOs in the Crosshairs as Sophisticated NetBird Spear-Phishing Campaign Unfolds
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
Grey’s Anatomy Season 22: What you Should know About Shonda Rhimes’ Returning Medical Drama

Most Popular
Karate Kid: Legends
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
CFOs in the Crosshairs as Sophisticated NetBird Spear-Phishing Campaign Unfolds
A hacker trying to do phishing attack
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
Grey's Anatomy
Grey’s Anatomy Season 22: What you Should know About Shonda Rhimes’ Returning Medical Drama
Karate Kid: Legends- Ending Explained, Post-Credit Scene Revealed, and more
Mercy For None: What to Expect from this Gritty K-Drama Thriller Starring So Ji-seob and Huh Joon-ho
CFOs in the Crosshairs as Sophisticated NetBird Spear-Phishing Campaign Unfolds
Czech Government Attributes 2022 Cyberattack to Chinese State-Backed APT31
Spanish Police Dismantle Cybercriminal Network, Hacker ‘Alcasec’ and Former Secretary of State for Security Arrested
Grey’s Anatomy Season 22: What you Should know About Shonda Rhimes’ Returning Medical Drama

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: