A hacking group with alleged ties to Vietnam has been exploiting social media ads promoting AI video generators to distribute malware since mid-2024. The campaign, discovered by Mandiant, uses fake websites mimicking legitimate AI tools to deploy payloads including Python-based infostealers and backdoors. The group, tracked as UNC6032, has reached millions of users through Facebook and LinkedIn ads, primarily targeting EU countries and the US. The malware distributed includes STARKVEIL, XWORM, FROSTRIFT, and GRIMPULL, designed for information theft and capable of downloading additional plugins. The attackers employ a multi-payload mechanism for resilience against detection. Users are advised to exercise caution when engaging with AI tools and verify website legitimacy.