Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers

Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for fake AI video tools, leading to stolen credentials and credit card information.

Mandiant Threat Defense has uncovered a widespread cybercrime operation preying on the public’s excitement for new AI tools. A group known as UNC6032, believed to be based in Vietnam, is tricking people with fake social media ads that look like they’re promoting popular AI video generators such as Luma AI and Canva Dream Lab.

According to Mandiant’s research, shared with Hackread.com, UNC6032 has been running misleading ads on platforms like Facebook and LinkedIn since mid-2024. These ads direct users to fake websites that appear to offer AI video generation services.

However, these sites secretly download harmful software, including infostealers and backdoors, which steal sensitive information like login details and personal data. The stolen data is likely sold on illegal online markets.

This type of attack is a major concern for everyone, from individuals to large companies. In fact, according to Mandiant’s M-Trends 2025 report, stolen credentials are the second-highest initial way cybercriminals get into systems. Mandiant has found thousands of these ads, reaching millions of users, and believes similar campaigns are active on other social media sites.

For instance, one specific attack that Mandiant investigated started with a Facebook ad for Luma Dream AI Machine. When a user clicked on “Start Free Now,” they were led through a series of steps mimicking a real AI video creation process.

After a loading bar, a Download button appeared, which then installed the malicious software instead of a video. The files used a trick with hidden characters and a fake .mp4 icon to appear harmless, but they were actually dangerous executable files.

Malicious Facebook ads on Facebook and LinkedIn (Image credit: Mandiant)

The malicious software used in these attacks, which Mandiant tracks as STARKVEIL, is a complex program written in Rust. It may display fake error messages to trick users into reopening the program. The software then drops other dangerous tools like XWORM, FROSTRIFT backdoors, and the GRIMPULL downloader.

These tools allow attackers to control the computer, steal more information, record keystrokes, and check for security software. GRIMPULL, for example, can download and run the Tor browser to connect to criminals’ hidden servers. XWORM even sends the stolen information to the attackers via Telegram.

According to Mandiant Threat Defense’s blog post, the company is collaborating with Meta and LinkedIn to fight this campaign. Although Meta has removed many of these ads, new ones are appearing daily. This ongoing threat necessitates constant collaboration across the tech industry to protect users.

Yash Gupta, Senior Manager at Mandiant Threat Defense, warns that “well-crafted websites masquerading as legitimate AI tools can pose a threat to anyone… Users should exercise caution when engaging with seemingly harmless ads.”

It is a fact that AI tools are becoming popular, and cybercriminals will continue to exploit this interest. Users are advised to be cautious when trying out new AI tools and verify the website’s address before interacting.