{ "type": "Domain", "indicator": "klingaimedia.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/klingaimedia.com", "alexa": "http://www.alexa.com/siteinfo/klingaimedia.com", "indicator": "klingaimedia.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4069700415, "indicator": "klingaimedia.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "682df35527d2f2da03f6cf30", "name": "The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "description": "A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious files disguised as AI-generated media, which are actually executable loaders. These loaders employ advanced evasion techniques, including .NET Native AOT compilation, and deploy infostealers with extensive monitoring capabilities. The campaign has a global reach, particularly targeting users in Asia, and exploits the growing popularity of AI content generation platforms. The malware focuses on stealing credentials, session tokens, and monitoring crypto-related activities across multiple browsers and applications.", "modified": "2025-06-20T15:00:51.480000", "created": "2025-05-21T15:37:57.419000", "tags": [ "purehvnc", "infostealer", "crypto theft", "malvertising", "facebook ads" ], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureHVNC", "display_name": "PureHVNC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 24, "domain": 13, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386579, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68341699c4f86414627e2274", "name": "The Sting of Fake Kling: Malvertising Campaign Exploits AI Enthusiasts", "description": "This OTX pulse highlights a sophisticated malvertising campaign uncovered by Check Point Research, where threat actors impersonated the legitimate AI platform Kling AI to distribute malware. Leveraging counterfeit Facebook pages and paid advertisements, users were lured to a fake Kling AI website. Upon interacting with the site, users received files disguised as media outputs, which were actually Windows executables employing Hangul Filler characters to obfuscate their true nature. These executables utilized .NET Native AOT compilation to evade detection and, once executed, installed infostealers capable of exfiltrating browser-stored credentials and session tokens. The campaign has a global reach, with a significant number of victims reported in Asia.", "modified": "2025-06-25T07:01:11.856000", "created": "2025-05-26T07:22:01.208000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 24, "domain": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ede809fe205240a4028b0", "name": "The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "description": "In early 2025, Check Point Research (cp) started tracking a threat campaign that abuses the growing popularity of AI content generation platforms by impersonating Kling AI, a legitimate AI-powered image and video synthesis tool. Promoted through Facebook advertisements, the campaign directs users to a convincing spoof of Kling AI\u2019s website, where visitors are invited to create AI-generated images or videos directly in the browser.", "modified": "2025-06-21T08:00:15.130000", "created": "2025-05-22T08:21:20.697000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 2, "URL": 5, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 24 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ed86cee67010b2473161e", "name": "IOC - The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "description": "", "modified": "2025-06-20T15:00:51.480000", "created": "2025-05-22T07:55:24.051000", "tags": [ "purehvnc", "infostealer", "crypto theft", "malvertising", "facebook ads" ], "references": [ "", "https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureHVNC", "display_name": "PureHVNC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "682df35527d2f2da03f6cf30", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 24, "domain": 13, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682d803099b70c543c0ab8e5", "name": "Impersonated Kling AI Site Installs Malware: A New Cyber Threat", "description": "This report reveals how cybercriminals are using a fake Kling AI site to distribute malware. It details the tactics employed to lure victims into downloading malicious software, the types of malware involved, and the impact on affected systems.", "modified": "2025-06-20T07:01:29.094000", "created": "2025-05-21T07:26:40.436000", "tags": [ "kling ai", "data", "purehvnc", "banco", "hangul filler", "metamask", "wallet", "facebook", "check point", "fake facebook", "code", "june", "stealer", "test", "phantom", "keeper", "dragon", "amigo", "atom", "evolution" ], "references": [ "https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 24, "URL": 2, "domain": 13, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/", "https://labs.inquest.net/iocdb" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Purehvnc" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Purehvnc" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "682df35527d2f2da03f6cf30", "name": "The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "description": "A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious files disguised as AI-generated media, which are actually executable loaders. These loaders employ advanced evasion techniques, including .NET Native AOT compilation, and deploy infostealers with extensive monitoring capabilities. The campaign has a global reach, particularly targeting users in Asia, and exploits the growing popularity of AI content generation platforms. The malware focuses on stealing credentials, session tokens, and monitoring crypto-related activities across multiple browsers and applications.", "modified": "2025-06-20T15:00:51.480000", "created": "2025-05-21T15:37:57.419000", "tags": [ "purehvnc", "infostealer", "crypto theft", "malvertising", "facebook ads" ], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureHVNC", "display_name": "PureHVNC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 24, "domain": 13, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386579, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68341699c4f86414627e2274", "name": "The Sting of Fake Kling: Malvertising Campaign Exploits AI Enthusiasts", "description": "This OTX pulse highlights a sophisticated malvertising campaign uncovered by Check Point Research, where threat actors impersonated the legitimate AI platform Kling AI to distribute malware. Leveraging counterfeit Facebook pages and paid advertisements, users were lured to a fake Kling AI website. Upon interacting with the site, users received files disguised as media outputs, which were actually Windows executables employing Hangul Filler characters to obfuscate their true nature. These executables utilized .NET Native AOT compilation to evade detection and, once executed, installed infostealers capable of exfiltrating browser-stored credentials and session tokens. The campaign has a global reach, with a significant number of victims reported in Asia.", "modified": "2025-06-25T07:01:11.856000", "created": "2025-05-26T07:22:01.208000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 24, "domain": 6 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ede809fe205240a4028b0", "name": "The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "description": "In early 2025, Check Point Research (cp) started tracking a threat campaign that abuses the growing popularity of AI content generation platforms by impersonating Kling AI, a legitimate AI-powered image and video synthesis tool. Promoted through Facebook advertisements, the campaign directs users to a convincing spoof of Kling AI\u2019s website, where visitors are invited to create AI-generated images or videos directly in the browser.", "modified": "2025-06-21T08:00:15.130000", "created": "2025-05-22T08:21:20.697000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 2, "URL": 5, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 24 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ed86cee67010b2473161e", "name": "IOC - The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website", "description": "", "modified": "2025-06-20T15:00:51.480000", "created": "2025-05-22T07:55:24.051000", "tags": [ "purehvnc", "infostealer", "crypto theft", "malvertising", "facebook ads" ], "references": [ "", "https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureHVNC", "display_name": "PureHVNC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "682df35527d2f2da03f6cf30", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 24, "domain": 13, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682d803099b70c543c0ab8e5", "name": "Impersonated Kling AI Site Installs Malware: A New Cyber Threat", "description": "This report reveals how cybercriminals are using a fake Kling AI site to distribute malware. It details the tactics employed to lure victims into downloading malicious software, the types of malware involved, and the impact on affected systems.", "modified": "2025-06-20T07:01:29.094000", "created": "2025-05-21T07:26:40.436000", "tags": [ "kling ai", "data", "purehvnc", "banco", "hangul filler", "metamask", "wallet", "facebook", "check point", "fake facebook", "code", "june", "stealer", "test", "phantom", "keeper", "dragon", "amigo", "atom", "evolution" ], "references": [ "https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 24, "URL": 2, "domain": 13, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "klingaimedia.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "klingaimedia.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780265407.2008579 }