Listen to this Post
The rise of AI-generated videos has opened new doors for creativity, content creation and even marketing. However, it’s also opened a backdoor for cybercriminals looking to exploit unsuspecting users. A recent investigation by Mandiant and Google Cloud uncovered a widespread campaign by a hacking group known as “UNC6032,” which has been spreading malware under the guise of popular AI video generation tools. Their goal? To trick users into downloading malicious software by pretending to offer free access to innovative AI platforms.
This new threat combines the buzz around AI with old-school cybercrime tactics like phishing and malware. What’s most concerning is how convincingly these fake platforms imitate real ones — they even advertise on trusted social media platforms like Facebook and LinkedIn. The result is a dangerous cocktail of advanced technology and sophisticated social engineering.
📝 Digest of the Original Report (30 lines)
Mandiant, part of Google Cloud, has raised a red flag over a surge of malicious activity tied to fake AI video generation tools. Cybercriminal group UNC6032 is at the center of a campaign that’s using phishing websites and malware-infected downloads to exploit the growing popularity of AI video tech.
The hackers created fake platforms impersonating legitimate services like Luma AI, Canva Dream Lab and Kling AI. These bogus tools promise high-quality AI video generation, drawing in users who are curious or excited about the latest in generative AI.
Victims who fall for the bait end up downloading malware, including infostealers and backdoors. This malicious software collects sensitive information such as login credentials, cookies, credit card details and even Facebook session data. The scope of the attacks spans across industries and geographical regions, proving the campaign is both large-scale and highly targeted.
According to Mandiant’s research team, UNC6032’s ads have reached millions of users on platforms like Facebook and LinkedIn. Researchers believe similar efforts are likely ongoing on other platforms as well.
The social engineering tactic is unique in that it targets a relatively naive user base — content creators, freelancers and small businesses — who may not be tech-savvy but are interested in leveraging AI tools for productivity or marketing.
Cybersecurity firm Morphisec supported Mandiant’s findings and emphasized how AI tools have lowered the technical barrier to media creation, inviting less experienced users to the scene. Unfortunately, this also makes them easy targets for hackers.
Morphisec researcher Shmuel Uzan noted that this campaign differs from older attacks that disguised malware as game hacks or pirated software. Instead, it capitalizes on trust in emerging AI technologies and the promise of productivity enhancement.
Meta, the parent company of Facebook, was already investigating UNC6032’s activities and worked with Mandiant to identify more than 30 fake websites promoted through thousands of ads. Most of these were hosted via attacker-created pages or hacked Facebook accounts.
Regardless of what users input into these fake AI platforms, the end result is the same — a static malware payload is delivered. Google Cloud noted that the threat group has ties to Vietnam, though no direct government involvement is confirmed.
These insights help security professionals better understand how threat actors adapt to tech trends, using what’s popular to gain a foothold in victims’ systems.
🔍 What Undercode Say: (40 lines of analysis)
The UNC6032 campaign is a textbook example of cybercriminals weaponizing hype. The massive growth in interest surrounding AI video generation tools has created fertile ground for exploitation. When any new technology captures the public imagination, scammers follow close behind — this time, they’re leveraging the allure of cutting-edge AI tools.
What makes this threat particularly dangerous is its use of psychological manipulation. The campaign doesn’t just rely on shady download sites or poorly written phishing emails. Instead, it uses polished social media ads, realistic websites, and brand impersonation that builds a false sense of legitimacy.
These attackers are targeting creators, small businesses and influencers — groups that are eager to explore AI but may not have robust cybersecurity practices. By offering free access to tools that are otherwise either paid or invite-only, the hackers dangle an irresistible bait.
And it’s working. The malware isn’t just invasive; it’s designed to siphon off the most valuable personal data. By stealing cookies, saved passwords, financial data and social media access, the attackers open the door to secondary exploits like identity theft, account takeovers and financial fraud.
This campaign reflects a broader trend in cybersecurity: the blending of social engineering with advanced malware. While phishing isn’t new, wrapping it inside the promise of futuristic tech gives it a compelling new edge. The success of this attack isn’t just technical — it’s psychological.
It also reveals the vulnerabilities of ad ecosystems on platforms like Facebook and LinkedIn. That these ads could be widely distributed without detection for so long highlights a serious gap in ad verification processes, especially when attackers use hijacked accounts or obscure domains.
Furthermore, the suggestion that the campaign may have a Vietnamese origin, while not necessarily tied to state action, raises concerns about regional clusters of cybercrime operating with increasing sophistication. The term “UNC” (uncategorized) used by Mandiant shows how hard it can be to attribute and define evolving threat actors.
For organizations and individuals exploring AI tools, the lesson is clear: always verify sources. Download software only from official websites. Be wary of tools that sound too good to be true, especially those promoted via social media ads or shared in private groups.
Finally, this underscores a key point in cybersecurity — the human element remains the weakest link. The more “human” the scam appears, the more likely it is to succeed. As AI tools become more realistic and more accessible, expect future scams to become even harder to spot.
✅ Fact Checker Results:
The hacking campaign is real and has been verified by Mandiant and Google Cloud.
Malware was delivered via fake AI platforms that impersonate real tools like Luma AI.
Ads reached millions of users on major platforms like Facebook and LinkedIn. ⚠️🔒🧠
🔮 Prediction:
As AI-generated video tools continue to grow in popularity, we can expect similar scams to evolve, with attackers becoming even more convincing. Future malware campaigns will likely use even more advanced forms of social engineering, possibly integrating deepfake technology or real-time interaction to trick users. Cybercriminals will increasingly target content creators and freelancers — the fastest-growing group of AI users — making robust digital hygiene and awareness essential in the AI age.
References:
Reported By: cyberscoop.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
