# Vietnam-Nexus Hackers Distribute Malware Via Fake AI Video Generator Websites
A sophisticated hacking group allegedly from Vietnam has been luring millions of users into malware attacks by leveraging social media ads promoting generative AI tools. According to a new report released by Google Cloud-owned Mandiant, this malicious campaign has been ongoing since at least mid-2024.
The campaign, attributed to a group tracked as UNC6032, utilizes fake "AI video generator" websites to distribute malware, including Python-based infostealers and several backdoors. The group's tactics are designed to take advantage of the growing interest in AI tools, particularly those that can generate videos.
## How the Malware Spreads
The typical infection chain involves the distribution of malicious ads on social media platforms such as Facebook and LinkedIn. These ads often promote legitimate-sounding AI tools, but in reality, they lead to the download of malware payloads, including STARKVEIL, XWORM, FROSTRIFT, and GRIMPULL.
According to Mandiant's investigation, over 30 different websites were mentioned across thousands of UNC6032-linked ads, reaching millions of users. Most of these ads were found on Facebook, with a handful appearing on LinkedIn. The researchers analyzed a sample of over 120 malicious Facebook ads, revealing a total reach of more than 2.3 million users across EU countries.
## The Tactics and Techniques Used by the Hackers
The hackers use various tactics to evade detection and account bans. They constantly rotate the domains mentioned in the Facebook ads, often within days of each other. This approach allows them to stay one step ahead of security defenses.
On LinkedIn, the researchers identified roughly 10 malicious ads, with a total impression estimate of 50,000 to 250,000. The majority of these users were based in the US, followed by those in Europe and Australia. Each ad directed users to hxxps://klingxai[.]com, a domain registered on September 19, 2024.
## The Payloads Used by the Hackers
The payload downloaded by the malware is the STARKVEIL malware, which typically drops three different modular malware families: XWORM and FROSTRIFT backdoors, and the GRIMPULL downloader. These payloads are primarily designed for information theft and capable of downloading plugins to extend their functionality.
## The Fail-Safe Mechanism
Mandiant assessed that the presence of multiple, similar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked by security defenses.
## Conclusion
The Google Cloud report highlights the significant threat posed by fake "AI video generator" websites. These tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad. We advise users to exercise caution when engaging with AI tools and to verify the legitimacy of the website's domain.
### Recommendations for Users
* Exercise caution when engaging with AI tools * Verify the legitimacy of the website's domain before using any tool or service * Use reputable security software to detect and block malware * Keep your operating system, browser, and other software up-to-date * Be aware of the risks associated with social media ads and phishing campaigns
### Recommendations for Organizations
* Implement robust security measures to protect against AI-powered attacks * Educate employees on the dangers of fake "AI video generator" websites * Use advanced threat intelligence tools to detect and block malicious activity * Develop a comprehensive incident response plan in case of an attack