While you're generating a video, UNC6032 is already reading your Telegram chats.
Welcome to an era where "generate a video from a description" means "hand over your password."Since late 2024, Mandiant Threat Defense has been tracking a large-scale campaign by the UNC6032 group, which has turned the growing interest in generative AI into bait for spreading malware. Their main tactic involves fake websites mimicking popular text-to-video tools like Luma AI, Canva Dream Lab, and Kling AI. Through thousands of fake ads on Facebook* and LinkedIn, victims are redirected to cloned sites where they download infected archives.
According to Mandiant, the campaign involves over 30 domains. In EU countries alone, fake ads reached over 2.3 million users. The ads are run both from fake pages and hacked accounts, with domains frequently rotated to evade blocks. Although LinkedIn* was less involved, it was used for targeted campaigns in the U.S., Europe, and Australia.
Inside the downloaded archive is a file with a double extension (.mp4.exe), using invisible Braille characters in its name to disguise its true nature. The file icon mimics a standard video file, making the malicious executable appear harmless.
The primary dropper, dubbed STARKVEIL, is written in Rust. Upon execution, it unpacks and deploys components in a hidden directory, including the XWORM and FROSTRIFT backdoors, as well as the GRIMPULL loader. STARKVEIL then launches Python Launcher with encrypted code, ultimately triggering the loading of legitimate executables with malicious DLLs. These DLLs act as injectors, embedding payloads into Windows processes.
GRIMPULL is a .NET loader with checks for virtual environments and sandboxes. It uses Tor to connect to a command server and download additional payloads. Its configurations are encrypted and stored in Base64. The tool can download Tor if missing and encrypts traffic using TripleDES.
XWORM functions as a full-fledged backdoor with keylogging, screenshot capture, remote command execution, and USB-based propagation. It communicates with a C2 server via TCP, sends stolen data to Telegram, and can execute commands like shutting down the PC, restarting, or launching a command prompt. Plugins are loaded on demand.
FROSTRIFT, meanwhile, focuses on stealing sensitive data: it extracts system information, checks for 48 popular browser extensions (including password managers, wallets, and 2FA tools), and scans for installed crypto wallets and apps. The backdoor uses GZIP-compressed protobuf messages over SSL and stores modules in the registry, loading them into memory when needed. It can also enable persistence via registry entries.
All three backdoors use DLL sideloading through trusted Windows applications, making detection difficult. Each module employs unique obfuscation techniques and resilient communication channels.
Mandiant reports that UNC6032's attacks have affected victims across multiple countries and industries. All stolen data—including logins, cookies, credit card details, and Facebook* profiles—is exfiltrated via Telegram. Google Threat Intelligence Group links UNC6032 to Vietnam. Major platforms like Meta* and LinkedIn* are combating the campaign by removing malicious ads and blocking domains, but the group remains active.
Fake AI services have become a universal trap that’s easy to fall into. They no longer target just designers—anyone experimenting with AI risks downloading infected files. Similar cases have been seen before, such as a virus disguised as AI spreading across Europe and Asia. Heightened security awareness and verifying domain authenticity before using AI tools are now critical.
