Threat Actors Weaponize Fake AI-Themed Websites to Deliver Python-based infostealers

Mandiant Threat Defense has uncovered a malicious campaign orchestrated by the threat group UNC6032, which capitalizes on the global fascination with artificial intelligence (AI).

Since at least mid-2024, UNC6032 has been deploying fake AI video generator websites to distribute malware, specifically targeting users through deceptive social media ads on platforms like Facebook and LinkedIn.

These ads, mimicking legitimate tools such as Luma AI, Canva Dream Lab, and Kling AI, have reached millions of users globally, luring them to fraudulent sites that deliver Python-based infostealers and backdoors.

Exploiting the AI Craze with Malicious Campaigns

With a suspected Vietnam nexus as per Google Threat Intelligence Group (GTIG), this campaign underscores the growing trend of cybercriminals exploiting trending technologies to maximize their reach and impact across diverse geographies and industries.

The infection begins with malicious ads redirecting users to counterfeit AI websites, designed to mimic legitimate text-to-video or image-to-video tools.

Upon interaction, users are prompted to download a ZIP archive containing a disguised executable, often named with double extensions (e.g., .mp4.exe) and utilizing Unicode Braille Pattern Blank characters to obscure the true file type.

This executable, identified by Mandiant as STARKVEIL, is a Rust-based dropper that extracts embedded malware components under directories like C:winsystem.

Technical Breakdown of the Infection Chain

On subsequent execution, it spawns processes like py.exe to run obfuscated Python scripts ( tracked as COILHATCH), employing complex encryption techniques involving RSA, AES, RC4, and XOR to decrypt payloads.

These payloads include modular malware families such as GRIMPULL (a .NET downloader using Tor for C2 communication), XWORM, and FROSTRIFT (both .NET backdoors), which facilitate information theft, persistence through AutoRun registry keys, and extensive reconnaissance of host systems and browser extensions.

The malware steals sensitive data like login credentials, cookies, credit card information, and even cryptocurrency wallet details, exfiltrating them via Telegram API or TCP connections to domains like strokes.zapto[.]org.

Advanced anti-VM and anti-analysis checks further complicate detection, making this campaign a significant threat to both individuals and organizations.

Mandiant notes that Meta’s proactive efforts in 2024, alongside their own alerts, have led to the removal of numerous malicious ads and domains, though the threat actors’ tactic of rotating domains ensures continued risk.

This campaign highlights the urgency of exercising caution with AI tools and verifying website legitimacy, as the allure of novel technology can easily ensnare unsuspecting users.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!