Mandiant Threat Defense has detailed a sophisticated cyber campaign by threat actor UNC6032 that exploits public interest in AI video generation tools to distribute malware at scale.
Since November 2024, Mandiant has tracked UNC6032’s operations, which leverage fake “AI video generator” websites mimicking legitimate platforms like Luma AI, Canva Dream Lab, and Kling AI. Promoted through malicious ads on social media platforms, mainly Facebook and LinkedIn, thee sites entice users with promises of cutting-edge AI-generated video capabilities. Instead, they serve malware-laced payloads, including a Python-based infostealer and multiple backdoors.
The ads, which often use compromised or attacker-created Facebook pages, have reached millions of users, with over 2.3 million of those in EU countries alone. Analysis from Meta’s Ad Library and LinkedIn's transparency tools revealed over 30 active malicious websites and thousands of associated ads since mid-2024.
“The threat actor constantly rotates the domains mentioned in the Facebook ads, likely to avoid detection and account bans,” Mandiant researchers wrote in the report. “We noted that once a domain is registered, it will be referenced in ads within a few days if not the same day. Moreover, most of the ads are short lived, with new ones being created on a daily basis.”
Victims are tricked into submitting prompts to the fake platforms, after which a static malware payload, dubbed STARKVEIL, is automatically delivered. STARKVEIL drops three modular malware families, all focused on credential theft, credit card data exfiltration, and Facebook account hijacking. Exfiltrated data is funneled through the Telegram API.
Google’s Threat Intelligence Group (GTIG) attributes the activity to a Vietnam-based nexus. Mandiant warns that the campaign spans multiple industries and geographies, and suspects similar tactics may be underway on other platforms beyond Facebook and LinkedIn.
