As the internet is filled with clips of AI-Video generators, hacking groups seed online landscapes with malware-covered programs and fake websites hoping to get trends.
Tracked by researchers at Mandiant and Google Cloud, the campaign is being run by a group identified as “UNC6032.” Since mid-2024, they have spread thousands of ads, fake websites, and social media posts, and are committed to access to popular, rapid video-to-video-fast AI-generation tools such as Luma AI, Canva Dream Lab, and Kling AI.
These promises lead to phishing pages and malware, and the group deploys infostealers and backdoors to victim devices. The scheme appears to have impacted a wide range of industry and geographical areas, as the compromised parties have been stolen their login credentials, cookies, credit card data and, in some cases, Facebook information.
“Mandiant Threat Defense has identified thousands of UNC6032-related ads that have reached millions of users on various social media platforms, including Facebook and LinkedIn,” wrote researchers from Diana Ion, Rommel Joven and Yash Gupta. “It appears that similar campaigns are active on other platforms as cybercriminals consistently avoid detection and target multiple platforms to increase the likelihood of success.”
The emergence of highly realistic AI rapid generation tools over the past few months has generated considerable interest from curiosity, concern and the public. According to Google's trends, internet searches for AI video generation tools have been surged in the past year, especially since April.
Today's technology can create virtually incredibly realistic people and scenes, both glitches and visual clues that make it easier to spot videos generated by previous AI.
cybersecurity firm Morphisec, which published a similar study earlier this month, noted how the spread of AI video generators over the past year has lowered barriers to newcomers, giving even low-tech users the ability to create realistic fake media. The rush to jump into this latest trend from users who are extremely technical but unfamiliar with AI tools represents a new opportunity for cybercriminals and hackers.
“What makes this campaign unique is AI's exploitation as a temptation for social engineering. It is turning new legitimate trends into infection vectors,” wrote Morphisec researcher Shmuel Uzan. “Unlike older malware campaigns that disguise themselves as pirated software and gaming cheats, this operation targets newer, more reliable audiences. Creators and small businesses are exploring AI for productivity.”
Mandiant researchers cried out to META. This appears to be aware of and investigating the UNC6032 campaign before being notified to Mandiant. Using Meta's ad library, which has strengthened ad targeting information for European users through regulations, Mandiant's team has found over 30 different websites cited on Facebook, primarily through pages created by attackers or hacked accounts.
Almost every website promotes free or high quality AI-Video generation features.
“When a user provides a prompt to generate a video regardless of input, the website will provide one of the static payloads hosted on the same (or related) infrastructure,” the researchers write.
Google Cloud says UNC6032 has a “nexus” in Vietnam. Mandiant and Google Cloud use the term “UNC” to refer to a unique cluster of hacking activities where only available information and telemetry is limited.
In other words, UNC6032 could be a derivative of a previously tracked threat group, using a variety of tactics, techniques, procedures, or entirely new hacking groups, and although the activity has a “nexus” to Vietnam, it does not necessarily imply a state-based connection.
