The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website

MITRE Techniques

• [T1059] Command and Scripting Interpreter – Loader executed disguised binaries with obfuscated filenames (‘…files carry extensions like .mp4 or .jpg but are disguised Windows executables…’).
• [T1071] Application Layer Protocol – PureHVNC RAT communicated with C2 servers using encoded gzip-compressed configuration blobs containing IPs and campaign IDs (‘…configuration blob reveals C2 IP address, campaign ID…’).
• [T1105] Ingress Tool Transfer – The campaign staged payloads by downloading and unpacking ZIP archives containing malicious executables (‘…the generated result is a zip archive containing a single .exe file…’).
• [T1218] Signed Binary Proxy Execution – Loaders injected second stage into legitimate signed system processes like InstallUtil.exe to evade detection (‘…injects the 2nd stage into hardcoded legitimate system processes like InstallUtil.exe…’).
• [T1140] Deobfuscate/Decode Files or Information – Second stage payloads were obfuscated with .NET Reactor and required deobfuscation (‘…second stage is obfuscated with .NET Reactor…’).
• [T1057] Process Discovery – Loader detected running analysis/debugging processes to evade sandboxing and forensic analysis (‘…if any of these programs are found running in memory, the loader immediately exits…’).
• [T1547] Boot or Logon Autostart Execution – The loader established persistence using registry run keys and copied itself to %APPDATA% paths (‘…for persistence, the loader sets up a run key in the registry and copies the loader file…’).
• [T1113] Screen Capture – The ‘PluginWindowNotify’ plugin captured screenshots of targeted foreground windows with specific keywords (‘…plugin takes screenshots of foreground windows matching keywords…’).