{ "name": "The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "slug": "the-sting-of-fake-kling-facebook-malvertising-lures-victims-to-fake-ai-generation-website", "description": "A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious files disguised as AI-generated media, which are actually executable loaders. These loaders employ advanced evasion techniques, including .NET Native AOT compilation, and deploy infostealers with extensive monitoring capabilities. The campaign has a global reach, particularly targeting users in Asia, and exploits the growing popularity of AI content generation platforms. The malware focuses on stealing credentials, session tokens, and monitoring crypto-related activities across multiple browsers and applications.", "published": "2025-05-21T13:37:57+00:00", "created_at": "2025-05-21T13:37:57+00:00", "modified_at": "2025-05-21T20:11:12+00:00", "created_at_opencti": "2025-05-21T13:37:57+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-05-21", "crypto theft", "facebook ads", "infostealer", "malvertising", "purehvnc" ], "related_entities": { "observables": [ { "id": "", "name": "185.149.232.221" }, { "id": "", "name": "185.149.232.197" }, { "id": "", "name": "147.135.244.43" }, { "id": "", "name": "www.klingai.cloud" }, { "id": "", "name": "www.kling-ai.tech" }, { "id": "", "name": "klingxai.com" }, { "id": "", "name": "klingx.ai" }, { "id": "", "name": "klingturbo.com" }, { "id": "", "name": "klings-ai.com" }, { "id": "", "name": "klingaistudio.com" }, { "id": "", "name": "klingaimedia.com" }, { "id": "", "name": "klingaieditor.com" }, { "id": "", "name": "kingaivideotext.com" }, { "id": "", "name": "kingaitext.com" }, { "id": "", "name": "kingaiplus.com" }, { "id": "", "name": "kingaimediapro.com" }, { "id": "", "name": "aikling.ai" }, { "id": "", "name": "ai-kling.com" }, { "id": "", "name": "f89298933fed52511bb78f8f377979190e37367d72ccf4f3b81374a70362cc42" }, { "id": "", "name": "f5b31bd394e0a3adb6bd175207b8c3ccc51850c8f2cee1149a8421736168e13e" }, { "id": "", "name": "d95b3eabfe9892371cb518fd6e733d2d33d2fabb2b1df4dab650a8f8e1ea8745" }, { "id": "", "name": "d1b712b215612c8df5fef02b614c616a78b723bffbec6e10e32bfd0b758df41b" }, { "id": "", "name": "cee3f98b5f175219d025a92eddec4fd8bcaae31e6ad99321ae7c00b822063fc3" }, { "id": "", "name": "beeea592251a0a205b3bdb34802bd2f4f5181ee38226a05ec468a86be44e9508" }, { "id": "", "name": "b33e162a78b7b8e7dbbab5d1572d63814077fa524067ce79c37f52441b8bd384" }, { "id": "", "name": "a5baceb97a2be17fdd0c282292ebb0b5a56a555013a4c8fffcc2335c504780fb" }, { "id": "", "name": "9dab2badfdae86963b2f13ce8942fe78dd66ec497f8d82dd40c0cb5bec4fb2a7" }, { "id": "", "name": "839371cd5a5d66828ac9524182769371dede9606826ad7c22c3bb18fb2ee91cb" }, { "id": "", "name": "732aa8ed8ca9a12f4bfc29a693ec3eba74ed1b2d00de4296180d91b86d09747b" }, { "id": "", "name": "7035b5ba24146db537eedb1f05e6cad1775f9f5e81306f72422c03b288f75448" }, { "id": "", "name": "699e348260ae5b60cd822325f1c4bf2c793f6f25001357856c58520a9af10987" }, { "id": "", "name": "557becfcc7eccaa5a7368a6d5583404af26aadede2c345d6070e6e9fab44a641" }, { "id": "", "name": "5200b27726c0be8e6f34a3920fbd5d40aeaec460169b1f3c7a174ebeee6553d9" }, { "id": "", "name": "4bbaf3ececd53bc4028723e87b1669268a6fadc4d480590c2d59bb4322a17de7" }, { "id": "", "name": "3fba4a0942244e9c3ad25a57a21f91b06f8732a2ca36da948ae5f0afa51dc72b" }, { "id": "", "name": "39d771c12bd5da15d3fb63905df1e2c4c7c12b8f77c630a35b247c418950eafe" }, { "id": "", "name": "30e26f4fd7cb0ac626950bb01e01a2c02e277727d1d3ec94286a44af262f37cf" }, { "id": "", "name": "2d5e01cfacdf9f900b51b0539e0809f22ce1859eac0886866af35a2eb2dc2d42" }, { "id": "", "name": "2588fdfa7417d617df2d31eddea710d0f964008abc2f4860cdff588ab9786d0a" }, { "id": "", "name": "1e66ebaef295c2a32245162979d167cebad1fece51b7cdb6a6c3a1d705befa6b" }, { "id": "", "name": "0c9228983fbd928ac94c057a00d744d6be4bd4c1b39d1465b7d955b7d35bf496" }, { "id": "", "name": "06d9d60ddbe835abc5b16911a35732cc9b56ea9425de210961a15d465823978f" } ], "malware": [ { "id": "b372b496-d86c-4cc2-80dd-5ea7138f5787", "name": "PureHVNC", "slug": "purehvnc" } ], "attack_patterns": [ { "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c", "name": "T1583.001" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/682df35527d2f2da03f6cf30" ] }