Cybersecurity researchers have uncovered a malvertising campaign impersonating Kling AI, a popular AI-powered image and video generation tool, to spread stealthy malware through spoofed websites and fake Facebook ads.
According to Checkpoint researcher Jaromír Hořejší, users are being lured to counterfeit websites mimicking Kling AI, where they are promised access to AI-generated content. Once on the site, users are offered fake image or video downloads disguised with common extensions like .mp4 or .jpg.
Behind the scenes, however, these files are Windows executables in disguise, using double extensions and Hangul Filler characters to obscure their real nature. When victims open what they believe to be generated content, they instead trigger a malware loader, exposing their systems to credential theft and surveillance.
The loader is especially evasive. Checkpoint reports that it uses .NET Native AOT (Ahead-of-Time) Compilation to complicate detection and frustrate analysis. Once activated, the malware stages additional payloads, most notably infostealers designed to exfiltrate browser credentials, session cookies, and other sensitive data.
Fake Kling AI Domains Fuel Evolving Threat
The Kling AI malvertising campaign has been active since early 2025 and continues to evolve. Checkpoint has identified a range of malicious domains posing as Kling AI, including:
klingxai[.]comkingaitext[.]comklingx[.]ai
While many of the domains were taken down by the time of the investigation, some were still live and demonstrated similar malware delivery tactics, suggesting a sustained, coordinated effort.
This is not an isolated case. In a similar attack reported by Morphisec, threat actors promoted fraudulent “AI platforms” through Facebook ads, tricking users into downloading Noodlophile Stealer, a malware variant targeting browser-stored data.
As AI platforms like Kling AI become more popular, attackers are increasingly exploiting this trust to stage malvertising operations that blend social engineering with technical obfuscation. These campaigns typically rely on sponsored search results, cloned websites, and fake social media pages to build credibility and lure users into interacting with malicious content.
Checkpoint’s findings are a strong reminder that users should avoid downloading media or software from unknown sources, and businesses must enforce stricter controls on ad content and domain impersonation.
