How the ruse starts on social media

Early this year, Facebook and Instagram users began seeing what looked like perfectly normal sponsored posts for Kling AI, an image-and-video generator launched by Beijing-based Kuaishou Technology in June 2024. The service has drawn more than 22 million users as of April 2025, so seeing a few ads in their feeds did not seem out of place. Yet many of those promotions were anything but legitimate. Investigators at Check Point say at least 70 different paid posts funneled people to counterfeit Kling AI pages that copied the company’s logo, color scheme and marketing tone almost to the pixel.

Clicking an ad brought visitors to web addresses such as klingaimedia[.]com or klingaistudio[.]com. Each site promised the same enticing service: “Create stunning AI images and videos right in your browser—no download required.” In reality, no media would ever be produced. The sites asked newcomers to start a project and then offered a download link, claiming the file contained their freshly generated artwork. The promised picture or clip was actually a Windows program disguised with a misleading double extension and hidden characters so that casual onlookers would see only something like holiday_photo.jpg.exe.

A closer look at the malware chain

The file arrived inside a ZIP archive. The moment an unsuspecting user ran it, the program quietly loaded a second piece of code—a remote-access trojan (RAT) known as PureHVNC—while also dropping a data-stealing tool. Before doing so, the loader checked whether tools such as Wireshark, Process Monitor or OllyDbg were running, an attempt to dodge security researchers who might be watching in a virtual lab. It also altered the Windows Registry so the malware would relaunch every time the computer rebooted.

To hide from antivirus engines, the loader injected its follow-up payload into trusted Microsoft binaries like “CasPol.exe” or “InstallUtil.exe.” Those files are part of the .NET Framework and generally allowed to run without restrictions, giving the intruder a free pass. The embedded PureHVNC backdoor, protected with the commercial obfuscator .NET Reactor, then reached out to a command-and-control server at 185.149.232[.]197. Once connected, the attackers could take over the machine, browse the file system, or siphon off anything they found interesting.

What the crooks are after

The operation’s main goal appears to be credential theft. PureHVNC is built to comb through Chromium-based browsers, hunting for saved passwords, cookies and tokens that keep people logged in to sites. It pays special attention to crypto-currency wallet extensions. If the victim opens a banking portal or wallet service, the malware grabs a screenshot so the intruders can see balances or transaction details in real time. With full remote-desktop access, the attackers can also plant additional malware or use the computer in other crimes.

Check Point’s analysts note that the whole setup follows a plug-in model. Different modules handle screenshot capture, browser harvesting and wallet scraping, letting the criminals switch tactics without rewriting the core code. This flexibility makes the threat hard to predict and easy to update.

Signs point toward Vietnam

Researchers have not pinned down a specific hacking crew, but several clues hint at a Vietnamese connection. Snippets of Vietnamese text were buried in the websites’ source code and appeared in some advertisement templates. Moreover, Facebook malvertising campaigns tied to stealer-style malware have frequently originated from Vietnam over the past two years. In one recent case, security firm Morphisec linked a separate fake-AI scam—this one branded as “Noodlophile”—to actors speaking the same language.

Part of a bigger social-media scam wave

The Kling AI hoax is only one piece of a widening puzzle. A Wall Street Journal investigation this spring called the situation an “epidemic of scams” on Meta platforms, with fraud rings running romance swindles, bogus bargains and counterfeit giveaways from countries including China, Sri Lanka, Vietnam and the Philippines. Meanwhile, nonprofit outlet Rest of World reported that deceptive job ads on Telegram and Facebook are luring young Indonesians into human-trafficking rings tied to Southeast Asian scam compounds, where victims are forced to run investment cons.

Why everyday users should care

Generative-AI brands are popping up faster than most of us can track, and that hype makes them perfect bait. A polished logo and a blue “Sponsored” tag can trick even cautious users into lowering their guard. If you stumble on an ad for the next hot AI tool, double-check the URL, look for the official verification badge on its social accounts, and be skeptical of any site that suddenly asks you to download an executable file—especially one claiming to be an image or video.

Meta says it removes malicious ads once they are reported, but the volume means some inevitably slip through. Until social platforms tighten their screening, the safest move is to visit the genuine Kling AI site—or any other legitimate service—by typing the address yourself rather than trusting the first shiny button in your feed.

At a glance, the Kling AI impostor scheme may seem like just another phishing ploy, yet it shows how quickly cybercriminals innovate. By blending slick marketing with sophisticated malware loaders and remote-access tools, they can pivot from brand to brand, trend to trend, catching people who simply wanted to try a cool new app. Staying safe now means treating every ad, deal and download with a little healthy doubt.