Scammers Use Fake Kling AI Ads to Spread Malware

A series of malware scams was spotted targeting users of generative AI tools, with attackers posing as the popular Kling AI platform to spread malicious software. According to a detailed analysis by Check Point Research (CPR), the campaign used fake social media ads and cloned websites to trick users into downloading malicious files.

Kling AI is an AI-powered video generation tool developed by Kuaishou, a Chinese technology company, that turns text prompts or images into videos. Launched in June 2024; the platform has more than six million registered users. Kling AI’s popularity and worldwide use makes it a lucrative target for cybercriminals.

The attack began with sponsored Facebook ads promoting Kling AI. The ads were linked to a fake site designed to mimic the real Kling AI interface. Once there, users were asked to upload an image and click “Generate,” a familiar interaction for anyone who has used generative tools.

Instead of receiving AI-generated media, users were handed a downloadable file. It appeared harmless, named something like Generated_Image_2025.jpg, complete with a standard image icon. But this was no image file. It was a disguised executable, built to install malware quietly on the user’s system.

Although the malware name, family or type remains unknown, the first stage of the attack relied on what’s known as filename masquerading. By giving a malicious file the appearance of a common media format, attackers increased the chance that users would open it. Once installed, the malware stayed on the system and ran every time the computer was turned on.

It didn’t stop there. The real damage happened in stage two when a remote access Trojan (RAT) was deployed on the compromised systems. This tool connected the compromised system back to an external command center. This allowed attackers to monitor activity, collect stored browser data, and even take full control of the system without the victim’s knowledge.

Check Point reports that each RAT variant used in this campaign was slightly modified, likely to avoid detection by antivirus tools. Some of the samples carried internal names like “Kling AI Test Startup” or dated markers such as “Kling AI 25/03/2025,” suggesting the group behind the attack has been actively testing and adjusting its methods.

While the identity of the attackers is still being investigated, CPR found indicators linking the operation to Vietnam-based groups. These clues include Vietnamese-language debug strings inside the malware and similarities to previous campaigns that used Facebook as a delivery channel.

Cybercriminal groups from the region have been tied to past incidents involving fake ads and data-stealing malware on Facebook. This operation fits that pattern and marks another step in how cyber threats are adapting to current digital trends.

AI generative tools are becoming more popular than ever and attackers are finding ways to turn that popularity into an advantage. By copying the look and feel of trusted services, they make people assume it is legit especially when the fake site looks polished and and real.

Check Point advises users to be cautious of sponsored ads and always verify the source before downloading anything.