In a concerning development, counterfeit Facebook ads impersonating the popular AI platform Kling AI have been discovered to spread Remote Access Trojan (RAT) malware to over 22 million potential victims. This sophisticated cyber attack exploits social engineering tactics to lure users into downloading malicious software under the guise of a legitimate service.

Key Takeaways

• Fake Facebook ads and pages are used to distribute malware.

• The malware is disguised as a legitimate AI tool for generating images and videos.

• Victims are tricked into downloading a malicious executable file.

• The attack is linked to Vietnamese threat actors.

• Meta is facing a surge in scams across its platforms.

Overview of Kling AI

Kling AI, developed by Kuaishou Technology and launched in June 2024, is an AI-powered platform that allows users to create images and videos from text prompts. With a user base exceeding 22 million as of April 2025, it has quickly gained popularity. However, this popularity has made it a target for cybercriminals.

The Attack Mechanism

The attack was first identified in early 2025, utilizing fake Facebook pages and sponsored ads to direct users to fraudulent websites such as klingaimedia.com and klingaistudio.com. Here’s how the attack unfolds:

1. Deceptive Ads: Users encounter ads on Facebook that promise AI-generated multimedia content.

2. Spoofed Websites: Clicking the ads leads to counterfeit websites that mimic Kling AI.

3. Malicious Downloads: Users are prompted to download a file disguised as an executable, which is actually a Remote Access Trojan (RAT).

4. Data Theft: Once installed, the RAT allows attackers to gain remote control of the victim's system, enabling them to steal sensitive information such as browser-stored credentials and session tokens.

Technical Details of the Malware

The malicious payload is cleverly disguised using double extensions and Hangul Filler characters, making it difficult for users to recognize it as a threat. The malware is packaged in a ZIP archive and functions as a loader for the RAT, which:

• Monitors for analysis tools to evade detection.

• Modifies Windows Registry settings to ensure persistence.

• Injects itself into legitimate system processes to avoid being flagged by security software.

The second-stage payload, known as PureHVNC RAT, is capable of:

• Contacting a remote server to receive commands.

• Capturing screenshots when specific window titles related to banking or cryptocurrency wallets are opened.

• Stealing data from various cryptocurrency wallet extensions installed on browsers.

The Broader Context

This incident is part of a larger trend of increasing cyber threats on social media platforms. According to reports, Meta is currently grappling with an "epidemic of scams," with various fraudulent activities proliferating across Facebook and Instagram. Many of these scams are linked to organized groups operating from countries like Vietnam, China, and Sri Lanka.

The rise of generative AI tools has provided new opportunities for cybercriminals to exploit unsuspecting users. Earlier this month, another report highlighted how Vietnamese threat actors have been using fake AI tools to distribute information-stealing malware.

The fake Kling AI ads serve as a stark reminder of the evolving landscape of cyber threats, particularly as social engineering tactics become more sophisticated. Users are urged to exercise caution when encountering ads on social media and to verify the legitimacy of websites before downloading any files. As the battle against cybercrime intensifies, both users and platforms must remain vigilant to protect sensitive information from falling into the wrong hands.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims, The Hacker News.