Hackers are abusing Facebook ads system to run large-scale malware campaigns, using fake AI tools as bait. Ads promoting AI video generators like Kling AI, Luma AI, and Canva Dream Lab are tricking users into clicking links that lead to fake websites. These sites offer a ZIP file claiming to be the software installer but it contains malware.
Instead of a creative AI tool, users end up downloading malicious loaders that install spyware, keyloggers, and data stealers. The malware runs in the background, collecting passwords, browser data, and even scanning for crypto wallets.
The Campaign Is Well-Coordinated and Global
Security researchers at Mandiant and Google Threat Intelligence have been tracking this group, labeled UNC6032. Based out of Vietnam, the group has deployed over a thousand ads across Facebook and LinkedIn, reaching millions of users mainly in Europe and Asia. Many of the ads came from hijacked accounts, making them look more trustworthy.
The malware works in stages. Once you open the first fake installer, it connects to a remote server and downloads multiple payloads like GRIMPULL and XWORM. These let attackers monitor your activity, control your system remotely, and steal sensitive files without you knowing.
How to Protect Yourself?
Never download software through social media ads. If an AI tool seems interesting, search for its official website independently. Avoid installing ZIP files from unverified sources. Check the URL. Spoofed sites often add words like “studio,” “media,” or use odd characters to look authentic. Use reliable antivirus tools that can detect threats like info-stealers and remote access trojans. Keep your operating system and browser updated to block known malware behaviors.
What this really means is Facebook ad system is being hijacked to scale malware delivery. The rise of AI hype has become a perfect cover for cybercriminals. Awareness and caution are now your first line of defence.
