AI Scam Alert: Fake Kling AI Sites Deploy Infostealer, Hide Executables

Check Point Research has uncovered a sophisticated malware campaign exploiting the rising popularity of Kling AI—a legitimate AI-powered media generation platform—to distribute a potent infostealer through fake websites and Facebook malvertising.

The campaign, launched in early 2025, weaponizes trust in generative AI by mimicking Kling AI’s branding and functionality. Threat actors created fake Facebook pages and ran over 70 sponsored posts luring users to download AI-generated content from spoofed domains like klingaimedia[.]com and klingturbo[.]com. These domains hosted realistic clones of Kling AI’s interface, inviting users to generate AI-based images or videos.

But instead of delivering safe media files, the site served a trojan horse: a .zip archive containing a deceptively named .exe file. The filename cleverly used Hangul Filler characters (U+3164) to disguise its true extension as .jpg or .mp4—a technique known as filename masquerading. Windows Explorer shows the file as a media file, but a closer inspection reveals it as an application.

“Each space character is represented by three bytes 0xE3 0x85 0xA4, a UTF-8 hex encoding for Hangul Filler,” the report explains.

Once executed, the file—compiled using .NET Native AOT for stealth—installs a loader with a suite of anti-analysis features. The loader searches for and disables tools like Wireshark, ProcMon, PeStudio, and others. It sets persistence via registry keys and copies itself to the %APPDATA%\Local directory.

The loader also performs virtual machine checks and runs a self-restarting batch script to ensure it keeps executing. Among its configuration variables are ominous flags such as $antiprocesshacker, $antivt, $persistence, and $startup.

“If any of these programs are found running in the memory, the loader immediately exits,” warns the research team.

The second payload—disguised as a .NET-obfuscated DLL—contains the PureHVNC remote access trojan, which not only enables full remote control but also doubles as a stealer. It extracts browser-stored credentials and session tokens, particularly from Chromium-based browsers and crypto browser extensions like MetaMask, TronLink, Phantom, and Binance Chain Wallet.

Additionally, a plugin named PluginWindowNotify captures screenshots when banking apps or crypto wallets are detected in the foreground.

“The plugin monitors for ‘interesting’ window captions such as ‘coinbase’, ‘paypal’, or ‘Trust Wallet’, and triggers screenshots when matches occur,” the report states.

The campaign appears to have a global reach, but researchers found telltale signs of Vietnamese threat actor involvement, including Vietnamese debug messages, local phone numbers, and prior history with similar Facebook malvertising strategies.

“This current campaign included several references (like debug messages) in the Vietnamese language,” Check Point notes.

Related Posts:

• Flaw in Ghostscript Could Allow Command Execution
• LummaC2 Infostealer Malware Spreads via Crack Programs and Phishing
• Security Flaw in WPS Office Puts Over 500 Million Android Users at Risk
• New Skuld Infostealer Campaign Unveiled in npm Ecosystem