A series of malware scams has been identified targeting users of generative AI tools, with attackers impersonating the well-known Kling AI platform to distribute harmful software.Â
A thorough investigation by Check Point Research (CPR) revealed that the campaign utilized fake social media advertisements and cloned websites to deceive users into downloading malicious files.Â
Kling AI is an AI-driven video creation tool developed by Kuaishou, a Chinese tech firm, which converts text prompts or images into videos. Since its launch in June 2024, it has attracted over six million registered users. Kling AI platform’s widespread popularity makes it an appealing target for cybercriminals.Â
The attack initiated with sponsored Facebook advertisements promoting Kling AI, which linked to a counterfeit site designed to replicate the authentic Kling AI interface. Users were prompted to upload an image and click ‘Generate,’ a typical action for those familiar with generative tools. Instead of receiving AI-generated content, users were provided with a downloadable file that seemed innocuous, named something like Generated_Image_2025.jpg, complete with a standard image icon.Â
However, this was not an image file; it was a disguised executable intended to silently install malware on the user’s system. Although the specific name, family, or type of the malware remains unidentified, the initial phase of the attack relied on filename masquerading. By disguising a malicious file as a common media format, attackers heightened the likelihood that users would open it.Â
Once installed, the malware persisted on the system and activated each time the computer was powered on. The real harm occurred in the second phase when a remote access Trojan (RAT) was introduced to the compromised systems, establishing a connection back to an external command center.
This enabled attackers to observe activities, gather saved browser information, and potentially gain complete control of the system without the victim’s awareness. Check Point indicates that each variant of the RAT used in this operation was slightly altered, likely to evade antivirus detection.Â
Some samples had internal designations like ‘Kling AI Test Startup’ or timestamps such as ‘Kling AI 25/03/2025,’ implying that the group behind the attack has been actively refining its techniques. The identity of the attackers remains under investigation, but CPR has identified links to groups based in Vietnam.Â
Evidence includes Vietnamese-language debug strings found in the malware and resemblances to earlier campaigns that utilized Facebook for distribution. Cybercriminal organizations from this area have been associated with previous incidents involving fraudulent advertisements and data-stealing malware on Facebook.Â
This operation aligns with that trend and represents another evolution in how cyber threats are responding to modern digital practices. As AI generative tools gain popularity, attackers are discovering ways to exploit this trend.Â
By mimicking the appearance of reputable services, they create a false sense of legitimacy, particularly when the counterfeit site appears polished and authentic. Check Point recommends that users exercise caution with sponsored ads and always confirm the source before downloading any content.
Also read:Â Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
