In a sophisticated cyberattack campaign uncovered in early 2025, threat actors created counterfeit versions of popular AI image generation platform Kling AI to deliver malware to unsuspecting users.
Kling AI, which has amassed over 6 million users since its June 2024 launch, became the target of an elaborate impersonation scheme designed to exploit the growing popularity of AI-powered media creation tools.
The attackers meticulously replicated the legitimate service’s appearance and functionality, creating a nearly indistinguishable user experience that concealed its malicious intent.
.png
)
The attack methodology involved creating approximately 70 fake Facebook pages and promoted posts that directed users to convincing spoof websites with domains like “klingaimedia.com” and “klingaistudio.com.”
These advertisements appeared legitimate to casual observers, employing graphics and messaging consistent with genuine AI generation services.
When visitors accessed these counterfeit pages, they were prompted to upload images or text prompts for AI enhancement or transformation – mimicking the standard workflow of legitimate generative AI platforms.
Check Point researchers identified this campaign after tracking unusual malware delivery patterns beginning in early 2025.
Their analysis revealed that once users submitted content for “AI processing” on these fake sites, they were presented with a download link purportedly containing their AI-generated content.
“The threat actor mimicked Kling AI and drove traffic to a convincing fake website via counterfeit Facebook pages and paid ads,” noted the research team, who observed victims across multiple regions, with particularly high concentrations in Asia.
Instead of receiving the promised AI-generated media, victims downloaded files containing sophisticated malware.
The infection chain employed several deceptive techniques to bypass user awareness, including filename masquerading that made executable files appear as innocent media outputs.
.webp)
The global reach of this campaign suggests a well-resourced threat actor with infrastructure capable of targeting users across diverse geographic regions.
The technical sophistication of this attack becomes apparent when examining the file masquerading techniques.
Downloaded files appeared to be standard media outputs (like “Generated_Image_2025_97607092.jpg”), but contained hidden executable code.
The attackers employed an ingenious technique using Hangul Filler characters (UTF-8 hex encoding 0xE3 0x85 0xA4) to extend filenames to 292 bytes, with the actual file extension “.exe” pushed far to the right and typically not visible in standard file dialogs.
.webp)
Check Point’s analysis demonstrates how innocent-looking “image generation” interfaces presented users with malicious downloads.
When examining the downloaded files in a hex editor, researchers observed the pattern:-
45666665 637473 5F 4765 6E 65 72617469 Effects_Generati
6F 6E 5F 32 30323535 343135 2E 6D7034E3 on_20250415.mp4ă
85 A4 E3 85 A4E3 85 A4 E3 85 A4 E3 85
...
A4 2E 6578 65 .exeThis technique proved particularly effective as Windows Explorer displayed these files with image icons despite being classified as “Application” type.
Once executed, the malware performed sophisticated environment checks to avoid analysis tools, with one variant employing .NET Native AOT compilation to further complicate detection.
The loaders contained anti-analysis code to detect tools like Process Hacker, Wireshark, OllyDbg, and numerous other security and analysis applications.
.webp)
The code included explicit checks for 19 different analysis tools, immediately terminating if any were detected.
The primary payload identified as PureHVNC RAT established persistence through multiple methods and deployed extensive information-stealing capabilities targeting over 40 cryptocurrency wallet browser extensions across numerous browsers.
Attribution evidence, including Vietnamese language debug messages in the code, suggests the campaign may be linked to threat actors from Vietnam who have previously conducted similar Facebook malvertising operations.
Infection Mechanism in Detail
The infection process begins when users click the “Generate” button on the fake AI website after uploading their content.
.webp)
After a simulated processing period designed to appear legitimate, users are presented with a “YOUR FILE IS READY TO DOWNLOAD!” message.
This interface mimics common user experiences on legitimate AI platforms, complete with loading animations and professional design elements that suggest authenticity.
.webp)
When examining the Windows Explorer view of these files, users see a seemingly innocent media file, but with subtle indicators of its malicious nature.
The file type column shows “Application” rather than “JPG File” or “MP4 File,” a detail easily overlooked by most users. Windows Explorer presents the file with conventional media icons due to the manipulation of the filename, further enhancing the deception.
The malware employs sophisticated persistence mechanisms as identified in the loader’s configuration strings.
Code analysis revealed configuration parameters like “$startup,” “$melt,” “$persistence,” and “$antiprocesshacker,” indicating various stealth and persistence capabilities.
The “$startup” parameter triggers registry-based persistence, while “$melt” enables self-deletion after execution to eliminate evidence.
Most concerning is the second-stage PureHVNC RAT payload which monitors for specific application windows related to banking and cryptocurrency, taking screenshots when detected.
Check Point’s discovery highlights how threat actors continue to adapt their techniques to exploit current technology trends, creating increasingly convincing lures that blend seamlessly with legitimate user experiences.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
