Unmasking UNC6032: The Vietnam Hackers Behind Fake AI Video Generators
In a startling revelation, a Vietnamese hacking group, identified as UNC6032, has been exploiting the rising intrigue in AI tools to propagate malware through deceptive social media advertisements. This alarming trend, reported by Google Cloud-owned Mandiant, has been active since at least mid-2024.
The Gambit: AI and Malicious Ads
On May 27, Google Cloud unveiled a comprehensive report, detailing a Mandiant investigation that began in November 2024. The report spotlights a malicious campaign that capitalizes on the burgeoning popularity of AI-powered video generation services. These malevolent ads cleverly disguise themselves, drawing in unsuspecting users with promises of advanced video tools.
According to Mandiant, this campaign is linked to a previously documented infostealer, known as Noodlophile Stealer, further cementing the group’s connection to cybercrimes of sophisticated nature.
Understanding the Infection Chain of UNC6032
One of the most compelling aspects of this campaign is its intricate infection chain. Here’s how the threat unfolds:
Targeted Ads: Victims are lured via malicious social media ads, primarily on Facebook and LinkedIn. These ads impersonate reputable AI video creators such as Luma AI, Canva Dream Lab, and Kling AI.
Deceptive Websites: Clicking on these ads leads users to counterfeit websites that promise enticing features like text-to-video or image-to-video conversion.
Payload Delivery: Once duped into providing prompts, users inadvertently trigger the download of malicious payloads hosted on the same or interconnected infrastructures.
- Malware Deployment: These payloads include the notorious STARKVEIL dropper, which releases multiple backdoors (like XWORM and FROSTRIFT) and the GRIMPULL downloader.
Scope of the Attack: A Chilling Overview
Mandiant’s findings reveal that over 30 distinct websites have been associated with thousands of ads linked to UNC6032, collectively reaching millions of users. A deep dive into a sample of 120 malicious Facebook ads confirmed a staggering potential reach of more than 2.3 million users across Europe.
“It should be noted that reach does not equate to the number of victims. According to Meta, the reach of an ad is an estimated number of how many Account Center accounts saw the ad at least once,” emphasized the Mandiant report.
Tactics and Intricacies: The Evolving Nature of UNC6032
Domain Rotation: One of the more sophisticated strategies employed by UNC6032 is the constant rotation of domains featured in these ads. This tactic is designed to outsmart detection mechanisms, allowing the group to create new ads daily.
The researchers highlighted that upon registering a domain, it typically appears in ads within days, if not sooner.
On LinkedIn, the group’s ads accounted for between 50,000 and 250,000 impressions, primarily among US-based viewers, followed by European and Australian users.
“We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection," the report noted.
Resilience Through Multi-Payload Mechanism
The STARKVEIL malware, delivered through these ads, is no ordinary threat. It deploys three different modular malware families designed for significant information theft and capable of downloading plugins to expand their functionality.
Mandiant’s analysis reveals that the presence of these multiple payloads acts as a failsafe mechanism, improving the attackers’ chances of success even if some threats are detected by security defenses.
“Although our investigation was limited in scope, we discovered that well-crafted fake ‘AI websites’ pose a significant threat to both organizations and individual users,” concluded the researchers.
Final Thoughts: Stay Vigilant in the Age of AI
The allure of the latest AI tools can be intoxicating, but caution is paramount. The Mandiant report serves as a clarion call for users to exercise vigilance when engaging with AI platforms. Always verify a website’s legitimacy before inputting any personal data.
“The temptation to try the latest AI tool can lead anyone to become a victim. Verify the website’s domain to ensure your safety,” warns the research team.
For those eager to explore innovative AI experiences, remember that cybersecurity is as crucial as creativity in today’s digital landscape. Stay informed, stay secure!
Related Resources:
