Hackers Use Fake Kling AI Ads to Spread Malware, Targeting Crypto Wallets and Browsers

Cybersecurity researchers have discovered a new malware campaign that tricks users by pretending to be the popular AI media platform Kling AI. The attack, which began in early 2025, uses fake Facebook ads and lookalike websites to spread a dangerous infostealer malware.

According to Check Point Research (CPR), the hackers are taking advantage of Kling AI’s rising popularity—since its launch in June 2024, the platform has gained over 6 million users.

Here’s how the scam works: Users see sponsored posts on Facebook promoting Kling AI. When they click the link, they are taken to a fake version of the Kling AI website. There, they are asked to enter a text prompt or upload an image to generate AI content.

Instead of receiving an image or video, users end up downloading a ZIP file. Inside is a disguised file that looks like a regular JPG or MP4, but it’s actually a malware program. The attackers used special characters in the filename to hide the true file type.

Once opened, this file installs a stealthy malware loader built with .NET and sometimes compiled using Native AOT, which makes it harder for security tools to detect. It checks if it’s being watched by antivirus or running in a virtual machine. If everything is clear, it hides itself in system processes and downloads more malware.

The final payload is known as PureHVNC RAT, a remote access trojan that lets hackers take control of infected computers and steal data. It mainly targets cryptocurrency wallets and saved browser passwords.

The malware searches for over 50 digital wallet browser extensions, including MetaMask, Phantom, and Trust Wallet. It also scans popular browsers like Chrome, Edge, Brave, Vivaldi, Opera, 360Browser, and QQBrowser. Standalone apps like Telegram, Ledger Live, and Electrum are also on its radar.

This campaign has affected users around the world, especially in Asia. CPR found multiple versions of the attack, suggesting that the hackers are constantly testing and improving their methods.

The researchers noted that the style of the attack and the use of Vietnamese language in the malware code are consistent with past campaigns linked to Vietnamese hackers.

To stay safe, experts recommend downloading software only from official sources, keeping antivirus programs updated, using multi-factor authentication (MFA), and being cautious of suspicious ads and phishing attempts.