Full Report
A Vietnam-based group has spread thousands of advertisements, fake websites and social media posts promising access to popular prompt-to-video AI generation tools, delivering infostealers and backdoors instead. The post Mandiant flags fake AI video generators laced with malware appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6032
## Attribution & Identity
The threat actor is a Vietnam-based group tracked by Mandiant and Google Cloud as **UNC6032**.
## Activity Summary
Since mid-2024, UNC6032 has been running a campaign capitalizing on the public interest in prompt-to-video AI generation tools. They spread thousands of advertisements, fake websites, and social media posts promoting access to tools like Luma AI, Canva Dream Lab, and Kling AI. These lures lead victims to phishing pages that deploy malware, specifically stealing credentials, cookies, credit card data, and sometimes Facebook information.
## Tactics, Techniques & Procedures
- **Social Engineering Lure:** Exploiting the emerging legitimate trend of AI video generation as an infection vector.
- **Distribution:** Using thousands of advertisements, fake websites, and social media posts (Facebook and LinkedIn) disseminating phishing lures.
- **Malware Deployment:** Deploying infostealers and backdoors on victim devices.
- *(MITRE ATT&CK IDs were not explicitly mentioned in the provided text.)*
## Targeting
- **Sectors:** Wide range of industries (not specified in detail).
- **Geography:** Wide range of geographic areas (not specified in detail).
- **Victims:** General public or users interested in AI video tools; specific organizations were not named.
## Tools & Infrastructure
- **Malware families used:** Infostealers and backdoors (specific names are not provided, though a related article mentions Morphisec research on "Noodlophile Stealer").
- **Infrastructure (C2, domains, IPs):** Fake websites and social media advertisements used for initial compromise. (No specific C2/IPs were defanged or listed).
## Implications
UNC6032 is leveraging high public interest in cutting-edge technology (AI video generation) to reach millions of users, driving infections likely involving less technically savvy users. The consistent use of popular platforms like Facebook and LinkedIn suggests a high volume, low-barrier-to-entry campaign designed for broad success and evasion.
## Mitigations
- Users should exercise extreme caution regarding advertisements, social media posts, or websites promising access to popular or limited-release AI tools like Luma AI, Canva Dream Lab, or Kling AI.
- Maintain vigilance against phishing lures that attempt to entice users with new technological trends.
- Ensure robust security software in place to detect and block infostealers and backdoors.