Cybercriminals are running malicious campaigns revolving around generative artificial intelligence (AI) services. Fraudulent websites impersonate the generative video service, Kling AI, by running fake ads on Facebook. When users try to generate content, they download malware instead.
Check Point Research warns about deceptive social media ads leading to forged generative AI services designed to lure users into generating content and downloading malicious files.
While the scheme doesn’t appear to be very sophisticated, the malware behind it features advanced evasion techniques and capabilities to take over users’ systems and personal data.
“Since early 2025, our team has identified around 70 sponsored posts that falsely promote the popular AI tool Kling AI. These ads come from convincing but fraudulent Facebook pages designed to look like the real company,” the Check Point report reads.
Clicking on the ad leads to one of the fake websites closely mimicking Kling AI’s interface. Even the domain names, such as klingaimedia[.]com, might not raise suspicion.
Like on the real website, users are offered to upload an image and generate a video from it.
When they try to download the generated content, the fraudulent website generates a filename and thumbnail similar to the related video content.
Unsuspecting victims download a zip archive, which contains a file, the name of which may start with something like “Generated_Image_2025.jpg”, or an alternative with the “.mp4” extension. However, the seemingly harmless file name continues with more characters, finally ending with “.exe” extension. The ellipsis “...” can hint that the filename is longer than displayed.
The file installs a dangerous remote access Trojan (RAT) that allows attackers to control the victim’s computer from a distance. Check Point researchers suspect the hackers are Vietnamese. The RAT starts monitoring the system, crypto wallets, and is capable of stealing stored passwords and other sensitive data.
“Each version of this tool is slightly altered to avoid detection, but all include a hidden configuration file that connects back to the attackers’ server. These files also contain campaign names like ‘Kling AI 25/03/2025’ or ‘Kling AI Test Startup,’ suggesting ongoing testing and updates by the threat actors,” the researchers noted.
They warn that AI tools are growing in popularity among hackers aiming to lure victims and exploit their trust. Fraudsters are effectively combining malvertising, social engineering with advanced malware to steal user data and control their devices.
Kling AI-themed frauds already had multiple iterations. For each sub-campaign, hackers create new malicious domains and adjust their tools.
Your email address will not be published. Required fields are markedmarked