A surge in interest around AI video tools has sparked a wave of malicious activity on Facebook, where cybercriminals are now mimicking popular platforms to spread malware under the guise of legitimate apps.
Security researchers at Mandiant, Google’s threat intelligence division, say attackers are deploying fake ads that appear to promote well-known video generators—such as Canva’s Dream Lab, Luma AI, and Kling AI. However, instead of linking to real services, the ads direct users to counterfeit websites laced with malware.
Once opened, these fake sites drop a mix of malicious software, including Python-based information stealers and remote access backdoors. The campaign, which has been active since mid-2024, is tracked as UNC6032 and is believed to originate from actors based in Vietnam.
Over 30 of these spoofed websites have been documented so far, with most of the ads circulating on Facebook. A smaller number were also spotted on LinkedIn. To stay ahead of Meta’s detection systems, attackers regularly rotate domain names and post new ads on a near-daily basis.
The reach has been significant. In the European Union alone, just 120 ads tied to this campaign were shown to more than 2.3 million users, according to internal figures reviewed by Mandiant. The researchers noted that the rising curiosity around AI tools makes people particularly vulnerable—especially when a slick-looking ad leads them straight to malware.
The attackers behind UNC6032 are not just after clicks. Past activity linked to the group includes harvesting login credentials, browser cookies, credit card details, and Facebook account data, all of which can be used for further exploitation.
Meta was alerted to the issue in 2024 and has already removed many of the fraudulent ads. But the sheer speed at which new versions appear has made it a moving target.
For users, the safest approach is to avoid engaging with AI-related ads on social media altogether. Instead of clicking through promoted content, it's better to search for the tool directly and navigate to the company’s official website. That small step could prevent personal information from being quietly siphoned off in the background.
Read next:
• Deepfake Technology Explained: Risks, Uses, and How to Detect Fake Videos
• Samsung to Delete Inactive Accounts by July 31 — Here's What You Need to Know
Security researchers at Mandiant, Google’s threat intelligence division, say attackers are deploying fake ads that appear to promote well-known video generators—such as Canva’s Dream Lab, Luma AI, and Kling AI. However, instead of linking to real services, the ads direct users to counterfeit websites laced with malware.
Once opened, these fake sites drop a mix of malicious software, including Python-based information stealers and remote access backdoors. The campaign, which has been active since mid-2024, is tracked as UNC6032 and is believed to originate from actors based in Vietnam.
Over 30 of these spoofed websites have been documented so far, with most of the ads circulating on Facebook. A smaller number were also spotted on LinkedIn. To stay ahead of Meta’s detection systems, attackers regularly rotate domain names and post new ads on a near-daily basis.
The reach has been significant. In the European Union alone, just 120 ads tied to this campaign were shown to more than 2.3 million users, according to internal figures reviewed by Mandiant. The researchers noted that the rising curiosity around AI tools makes people particularly vulnerable—especially when a slick-looking ad leads them straight to malware.
The attackers behind UNC6032 are not just after clicks. Past activity linked to the group includes harvesting login credentials, browser cookies, credit card details, and Facebook account data, all of which can be used for further exploitation.
Meta was alerted to the issue in 2024 and has already removed many of the fraudulent ads. But the sheer speed at which new versions appear has made it a moving target.
For users, the safest approach is to avoid engaging with AI-related ads on social media altogether. Instead of clicking through promoted content, it's better to search for the tool directly and navigate to the company’s official website. That small step could prevent personal information from being quietly siphoned off in the background.
Read next:
• Deepfake Technology Explained: Risks, Uses, and How to Detect Fake Videos
• Samsung to Delete Inactive Accounts by July 31 — Here's What You Need to Know
Is it possible to put pressure on Meta, or even take legal action against them – for example at the EU Court – in relation to the Digital Services Act (DSA), to force them to start addressing this issue? At the moment, almost every second advert is a scam – involving stock investments, medicines, drugs, financial fraud, fake AI profiles… There are entire farms of fake accounts that manipulate the algorithm through false interactions
ReplyDelete