Published June 2, 2025 10:00am EDT close 'CyberGuy' warns of cyberscams costing Americans billions a year Tech expert Kurt Knutsson joins "Fox & Friends" to warn of new cyberscams and give tips on how to avoid them. NEWYou can now listen to Fox News articles! Given the number of phishing scams we have all faced over the past decade, most of us have developed a basic skill to spot and avoid obvious phishing emails or SMS messages. Cybercriminals are aware of this, and they have evolved their tactics by shifting to more complex and convincing schemes designed to bypass skepticism and lure victims.Their goal remains the same: to trick you into handing over sensitive information, especially credit card data. One of the latest examples is the rise in subscription scam campaigns. Scammers are creating incredibly convincing websites selling everything from shoes and clothes to electronics, tricking people into signing up for monthly subscriptions and willingly providing their credit card information. Facebook is being used as the primary platform to promote these new and sophisticated scams. A woman shopping online (Kurt "CyberGuy" Knutsson)What you need to knowBitdefender researchers have uncovered a massive and highly coordinated subscription scam campaign involving more than 200 active websites designed to look like real online stores. These sites, often promoted through Facebook ads, sell everything from clothes and electronics to beauty products, but the real goal is to trick users into signing up for recurring payments, often without realizing it.One of the most common lures is the "mystery box" scam, where you are promised a surprise package at a bargain price. These offers are made to look fun and harmless, but behind the scenes you are giving away personal and credit card information while unknowingly agreeing to hidden subscription terms, often written in tiny fine print.The scam doesn’t stop there. Once you’re convinced and reach the checkout page, scammers often layer in a second scam, like loyalty cards or VIP memberships that further lock you into payments. It’s all designed to confuse you, overwhelm you with supposed perks and make the scam feel like a good deal.Researchers found that many of these websites share a single Cyprus address, possibly tied to offshore entities linked to the Paradise Papers. Despite being spread across different categories and brand names, the sites often use the same layouts, AI agents and payment structures, all pointing to a centralized fraud network.Scammers frequently rotate the brands they impersonate and have started moving beyond mystery boxes, now peddling low-quality products, counterfeit goods, fake investment schemes, dubious supplements and more. To avoid automatic detection, they employ several tactics. These include running multiple versions of an ad, with only one of which is actually malicious while the others display harmless product images, uploading ad images from platforms like Google Drive so they can be swapped out later and cropping visuals to alter recognizable patterns. Listing fake products (Bitdefender) (Kurt "CyberGuy" Knutsson)The scam is expandingWhat started with simple "mystery box" scams has grown into a sprawling, coordinated campaign. These scams now feature fake surveys, tiered "VIP" memberships and deceptive credit systems that make the purchase process intentionally confusing. Users are promised deep discounts or access to exclusive deals, but in reality they’re just being locked into recurring payments.Many of the scam websites trace back to the same physical address in Cyprus, pointing to what appears to be a centralized operation. Researchers also found links to entities mentioned in the Paradise Papers, suggesting these fraudsters are hiding behind offshore infrastructure.And it’s not just mystery boxes anymore. The same scam format is being used to sell low-quality goods, fake supplements and even bogus investment opportunities. With high-quality site design, aggressive advertising and increasingly sophisticated tactics, subscription scams are becoming the new face of online fraud. A person shopping online (Kurt "CyberGuy" Knutsson)10 proactive measures to take to protect your dataEven as scammers become more sophisticated, there are practical steps you can take right now to protect your personal and financial information from subscription fraud and other online threats. Here are ten proactive measures to help keep your data safe:1) Always read the fine print: One of the simplest yet most effective ways to protect yourself from subscription scams is to slow down and read the fine print, especially on checkout pages. Scammers often hide recurring payment terms in small or lightly colored text that’s easy to miss. What seems like a one-time purchase could actually sign you up for a biweekly or monthly charge. Taking just a moment to scan for hidden terms before hitting "Pay" can help you avoid weeks of silent billing.2) Avoid mystery box or VIP-style deals: These offers often prey on curiosity and the promise of surprise or luxury for a low fee. In reality, the "mystery" is the trap: you might receive nothing or a low-quality item while being unknowingly enrolled in a recurring subscription. Scammers use the illusion of exclusivity or urgency to pressure quick decisions.3) Don’t trust ads blindly on social media: Facebook, Instagram and other platforms are a hotbed for these scams, with criminals running paid ads that mimic well-known brands or influencers. These ads often link to professional-looking but fake storefronts. If you’re interested in a deal you see online, don’t click through immediately. Instead, look up the brand or offer in a separate tab and check if it exists outside social media.4) Investigate before you buy: Before purchasing from any unfamiliar site, take a few quick steps to verify its legitimacy. Search the brand's name alongside words like "scam" or "reviews" to see what others have experienced. Look up the company's physical address and check if it actually exists using tools like Google Maps. Make sure the website uses HTTPS, review the site's contact information and cross-check reviews on trusted third-party sites like the Better Business Bureau or Consumer Reports.5) Use strong antivirus software: Adding a strong antivirus program to your devices can provide an extra layer of defense against fraudulent websites and phishing attempts. Strong antivirus software warns you about suspicious links, blocks malicious ads and scans downloads for malware. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.6) Invest in personal data removal services: Scammers often rely on leaked or publicly available personal information to target victims with convincing subscription scams. Investing in a personal data removal service can help minimize your digital footprint by removing your information from data broker databases and reducing the chances of being targeted in future campaigns. Regularly monitoring and cleaning up your online presence makes it harder for fraudsters to exploit your data for financial gain. Check out my top picks for data removal services here.Get a free scan to find out if your personal information is already out on the web.7) Be cautious with payment methods: Use secure payment options like credit cards, which often offer better fraud protection than wire transfers, gift cards or cryptocurrency.8) Limit personal information shared on social media: Scammers often gather details from public profiles to craft convincing scams. Review your privacy settings and only share necessary information.9) Use strong, unique passwords and enable multifactor authentication: Create strong, unique passwords for each of your online accounts, especially those tied to your finances or shopping. Enable multifactor authentication wherever possible, as this adds an extra layer of security and makes it harder for scammers to access your accounts, even if your password is compromised. Also, consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed password managers of 2025 here.10) Keep your devices and software updated: Regularly update your operating system, browsers and apps. Security updates often patch vulnerabilities that scammers exploit to gain access to your information or install malicious software.Kurt’s key takeawayWhile the rise of subscription scams and deceptive ads is concerning, it’s especially troubling that platforms like Facebook continue to allow these fraudulent ads to run unchecked. Facebook has repeatedly failed to adequately vet or prevent these malicious campaigns from reaching vulnerable individuals. The platform’s ad approval system should be more proactive in spotting and blocking ads promoting scams, particularly those that impersonate well-known brands or content creators. How do you feel about Facebook’s role in allowing scam ads to circulate? Let us know by writing us atCyberguy.com/Contact.For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.Follow Kurt on his social channels:Answers to the most-asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com. All rights reserved. Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Nike is heading back to Amazon. The sneaker company will soon begin selling products directly through the platform, according to reporting by The Information. This hasn't happened since 2019, when Nike left Amazon to move toward a "more direct, personal" retail experience. That's not the only reason Nike abandoned the online retail giant after just two years on the platform. The shoe manufacturer partly blamed the decision on Amazon's inability to curb counterfeit goods and unlicensed sellers. Nike's direct-to-consumer pivot was working well, for a while. Sales spiked during the pandemic, as did all online shopping, but has gone downhill in the years since. CEO Elliott Hill, who started in October, has prioritized building back Nike's wholesale business. Nike products have been available on Amazon throughout these past six years, but in a roundabout way. Third-party sellers were allowed to hawk its wares, though Amazon is putting the kibosh on that. The Information reports that these merchants have been told that they have until July 19 to stop selling certain Nike items. So Nike shoes will soon be easier to buy online. That's the good news. The bad news is that they are likely to be more expensive. CNBC has reported that the company plans on raising prices on all of its products, which goes into effect on June 1. 🚧President Trump's Tariff Timeline: winding, bumpy and under daily construction.We distilled a timeline of the major Tariff announcements since President Trump took office.#tariffs #supplychain #tradewar #scrm pic.twitter.com/7U0qQxYC3o— interos.ai (@interos_ai) May 19, 2025 This is likely in response to the on-again, off-again, on-again, off-again (on-again) tariffs mandated by President Trump via his poison pen. The price of adult clothing and shoes will rise by $2 to $10 per item. Some items won't be impacted, like cheaper goods and children's products.This article originally appeared on Engadget at https://www.engadget.com/big-tech/nike-comes-back-to-amazon-following-a-six-year-absence-152621298.html?src=rss

Five years ago, George Floyd was murdered by a Minneapolis police officer after Floyd was suspected of using a counterfeit $20 bill. His death ignited a series of protests in the United States that gave new energy to the Black Lives Matter (BLM) movement, and which seemed—at the time—to reshape society, online and offline. As the protests that were born out of Floyd’s death reached their zenith in June 2020, Meta CEO Mark Zuckerberg wrote a poignant message: “To members of our Black community: I stand with you. Your lives matter. Black lives matter.” Zuckerberg also pledged that Meta would revise its content policies to tamp down on hate speech. At the same time, platforms like Twitter—now X—took the unprecedented step of limiting the reach of posts by then-sitting U.S. president Donald Trump, after he warned protestors in Minneapolis responding to Floyd’s death that “When the looting starts, the shooting starts.” Reddit updated its hate speech policy; TikTok had to apologize that its algorithm inadvertently suppressed BLM content. Five years on from Floyd’s death, a lot has changed, including social media’s tolerance for hate speech, incitement to violence, and racism. “Given the rollback of a lot of DEI friendly policies, I’d say we can tell how performative those approaches were,” says Carolina Are, a researcher at the Center for Digital Citizens at Northumbria University. “Platforms are private companies, not public institutions despite their overshare of online civil space, so they will always seek to protect their bottom line,” says tèmítópé lasade-anderson, executive director at Glitch, a charity focused on digital rights. The end of DEI Perhaps one of the most obvious examples of that backsliding was Meta terminating its major diversity, equity, and inclusion (DEI) programs for hiring, training and picking suppliers in response to a “changing” approach to DEI within the United States. That change happened in January, as soon as Donald Trump took office as president. The ease with which those programs were rolled back hints at how firmly the statements made immediately after Floyd’s death were held within tech organizations. “Companies of all stripes are conspicuously scaling back DEI programs for employees, and platforms are no exception,” says Daphne Keller., director of the program on platform regulation at Stanford University’s Cyber Policy Center. Keller says that change isn’t just trying to reflect the political winds. “The Trump administration has made it clear that companies risk having multi-million dollar mergers blocked or government contracts terminated if they do not eliminate efforts to diversify hiring, training, and promotion,” she says. It’s in that light—tech companies being threatened with losing out on cash—that the decisions are being made, Keller reckons. Meta did not respond to a request to comment for this story. The “free speech” platform In Elon Musk’s case, after he took over X, the company adopt new policies to allow more leeway for, Musk claimed, people to say things that could be offensive, but not illegal, while simultaneously. cracking down on the ability to say other words, such as cisgender. Hate speech and racist tweets rose by nearly half in the period after Elon Musk took over Twitter, according to a February 2025 study by researchers at the USC Viterbi School of Engineering. Neither Musk nor X’s press office responded to a request for this story. “In general I’d say platforms have been aligning with anti-DEI initiatives, showing that their pro-BLM stances were entirely performative,” says Are. Whether that’s totally fair is uncertain. Roy Austin, a civil rights attorney of three decades standing who was hired as vice president for civil rights at Meta around six months after Floyd’s death, left the company in March 2025. His parting message was largely positive about his time at the company, while acknowledging “the complexity and challenges of our work.” (Austin declined to speak for this story.) Meta’s January winding back of its policies was roundly criticized by some of the same civil rights organizations who the social network had often called on to advise Meta on its decision-making. The platform had shown a “cynical disregard” for the diversity of its user base, the letter, organized by the nonprofit Common Cause, read. Yet Meta’s latest transparency report shows that hate speech has dropped on Facebook, from the average user encountering around 10 posts containing it for every 10,000 they saw, to around two today. That data stops, however, before the big change in January took place. What it looks like five years on from BLM protestors chanting “No justice, no peace” on streets around the United States will have to wait for the company’s next transparency report. 

An image showing the counterfeit Apple chargers looking to cross the U.S. border / Image credits - ABC13 The Port of Houston witnessed a massive shipment of Apple accessories, which the U.S. Customs and Border Protection believed to be a suspicious entry of goods into the country. Sure enough, a new report states that upon further inspection, it was revealed that these were counterfeit chargers and cables in the thousands, with an estimated street value of more than $7 million. With the recent tariffs announcement, which enforces levies on goods arriving from overseas markets, sellers will attempt to cross such shipments without being detected. Given that the trade wars between China and the U.S. show no signs of concluding, such illegal entries will likely pick up in pace. Value of seized Apple chargers and cables was an estimated $7.3 million, with sellers attempting to evade tax payments and pocket a decent profit from these sales As reported by ABC13, with the details spotted by AppleInsider, a shipment of around 373,000 fake Apple chargers and cables was hauled by the authorities, with the agency stating that such products are typically in their crosshairs because counterfeiters try to avoid tax payments as much as possible. When confirming with Apple representatives, it was concluded that these were not authentic accessories. The bust involved 7,460 cartons, and customs agents mentioned that the products featured the Apple trademark. The authorities have warned customers to only make purchases from legitimate sources and pay attention to the prices. While the efforts of the U.S. Customs and Border Protection must be commended, these incidents will increase in number. Such counterfeit accessories might not just be limited to Apple, though we assume that these products will be arriving in a higher number compared to others because the California-based giant’s devices sell in droves in the United States. Smugglers will definitely resort to more creative measures when bringing in fake chargers and cables into the country, but the best practice to be observed by customers is to avoid purchasing from unauthorized sources. News Source: ABC13 Deal of the Day

A shipment of fake Apple Lightning cables and chargers worth more than $7 million was just stopped at the Port of Houston, highlighting the booming — and dangerous — business of counterfeit tech.Image Credit: ABC13 Houston, U.S. Customs and Border ProtectionOn Tuesday, U.S. Customs and Border Protection (CBP) officials at the Port of Houston seized a massive shipment of counterfeit Apple accessories. The haul included 373,000 USB-A to Lightning cables, with an estimated street value of $7.3 million.While the cables bore Apple's markings and trade labeling, officials suspected they weren't authentic. Apple representatives later confirmed those suspicions: the products were indeed counterfeit. Continue Reading on AppleInsider | Discuss on our Forums

May 23, 20253 min readNew Contacts Let You See Infrared Light—Even with Your Eyes ClosedStraight out of science fiction, these contact lenses convert infrared light into visible light that humans can seeBy Elizabeth Gibney & Nature magazine People who tested a new type of designer contact lens could see flashing infrared signals from a light source. Yuqian Ma, Yunuo Chen, Hang Zhao (CC BY SA)Humans have a new way of seeing infrared light, without the need for clunky night-vision goggles. Researchers have made the first contact lenses to convey infrared vision — and the devices work even when people have their eyes closed.The team behind the invention, led by scientists at the University of Science and Technology of China (USTC) in Hefei, gave the lenses their power by infusing them with nanoparticles that convert near-infrared light in the 800–1,600-nanometre range into shorter-wavelength, visible light that humans can see, in the 400–700-nanometre range. The researchers estimate that the lenses cost around US$200 per pair to make.The technology, which was detailed in Cell on 22 May, “is incredibly cool, just like something out of a science-fiction movie”, says Xiaomin Li, a chemist at Fudan University in Shanghai, China. It opens up “new possibilities for understanding the world around us”, he adds.On supporting science journalismIf you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.Pros and consNear-infrared light sits just outside the range of wavelengths that humans can normally detect. Some animals can sense infrared light, although probably not well enough to form images.Night-vision goggles enable humans to see infrared radiation, but they are bulky and require a power source to work. The new lenses avoid these limitations while also offering richer, multi-coloured infrared images that night-vision goggles, which operate on a monochrome green scale, typically do not.However, the lenses do have their own shortcomings. Because the embedded nanoparticles scatter light, the images the lenses create are blurry. The team partially corrected this by putting the technology into glasses with additional lenses that redirect the light. Moreover, unlike night-vision goggles, which amplify light to detect low-level infrared signals, the lenses allow users to see only intense infrared signals, such as those emitted by light-emitting diodes (LEDs).For these reasons, some critics don’t think the lenses will prove useful. “I cannot think of any application that would not be fundamentally simpler with infrared goggles,” says Glen Jeffery, a neuroscientist at University College London who specializes in eye health. “Evolution has avoided this for a good reason.”Nevertheless, the authors think that their lenses can be further optimized and foresee several possible uses for the invention. For instance, wearers would be able to read anti-counterfeit marks that emit infrared wavelengths but are otherwise invisible to the human eye, says co-author Yuqian Ma, a neuroscientist at the USTC.Li, who was not involved in the work, offers another possibility: the lenses might be worn by doctors conducting near-infrared fluorescence surgery, to directly detect and remove cancerous lesions “without relying on bulky traditional equipment”.‘An exhilarating moment’To create the contact lenses, the scientists built on previous research in which they gave mice infrared vision by injecting nanoparticles into the animals’ retinas. This time, they took a less invasive approach and added nanoparticles made of rare-earth metals including ytterbium and erbium to a soup of polymer building blocks to form the soft lenses, and then tested them for safety.The main challenge, Ma says, was to pack enough nanoparticles into the lenses to convert sufficient infrared light into detectable visible light, while not otherwise altering the lenses’ optical properties, including their transparency.Tests in mice showed that animals wearing the lenses tended to choose a dark box that was considered ‘safe’ over one lit up by infrared light, whereas mice without the lenses showed no preference for either box. Humans wearing the lenses could see flickering infrared light from an LED well enough to both pick up Morse code signals and sense which direction the signals were coming from. The lenses’ performance even improved when participants closed their eyes, because near-infrared light easily penetrates the eyelids, whereas visible light, which could have interfered with image formation, does so to a lesser degree.“Witnessing people wearing contact lenses and successfully seeing infrared flashes was undoubtedly an exhilarating moment,” Ma says.The team now plans to find ways to cram more nanoparticles into the lenses and hopes to develop particles that can convert light with higher efficiency, to improve the technology’s sensitivity. “We have overcome the physiological limitations of human vision, as if opening a brand-new window onto the world,” Ma says.This article is reproduced with permission and was first published on May 22, 2025.

May 23, 2025Ravie LakshmananRansomware / Dark Web As part of the latest "season" of Operation Endgame, a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets. Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and infrastructures assisting in or directly providing initial or consolidating access for ransomware. The previous edition focused on dismantling the initial access malware families that have been used to deliver ransomware. The latest iteration, per Europol, targeted new malware variants and successor groups that re-emerged after last year's takedowns such as Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE. The interaction action was carried out between May 19 and 22, 2025. "In addition, €3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than €21.2 million," the agency said. Europol noted that the malware variants are offered as a service to other threat actors and are used to conduct large-scale ransomware attacks. Furthermore, international arrest warrants have been issued against 20 key actors who are believed to be providing or operating initial access services to ransomware crews. "This new phase demonstrates law enforcement's ability to adapt and strike again, even as cybercriminals retool and reorganize," Europol Executive Director Catherine De Bolle said. "By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source." Germany's Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has revealed that criminal proceedings have been initiated against 37 identified actors. Some of the individuals who have been added to the E.U. Most Wanted list are listed below - Roman Mikhailovich Prokop (aka carterj), 36, a member of the QakBot group Danil Raisowitsch Khalitov (aka dancho), 37, a member of the QakBot group Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, a member of the TrickBot group Mikhail Mikhailovich Tsarev (aka mango), 36, a member of the TrickBot group Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, a member of the TrickBot group Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, a member of the TrickBot group The disclosure comes as Europol took the wraps off a large-scale law enforcement operation that resulted in 270 arrests of dark web vendors and buyers across 10 countries: the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19), Austria (4), the Netherlands (4), Brazil (3), Switzerland (1), and Spain (1). The suspects, Europol noted, were identified based on intelligence gathered from the takedowns of the dark web marketplaces Nemesis, Tor2Door, Bohemia, and Kingdom Markets. Several suspects are alleged to have conducted thousands of sales on illicit marketplaces, often using encryption tools and cryptocurrencies to conceal their digital footprints. "Known as Operation RapTor, this international sweep has dismantled networks trafficking in drugs, weapons, and counterfeit goods, sending a clear signal to criminals hiding behind the illusion of anonymity," Europol said. Along with the arrests, €184 million in cash and cryptocurrencies, 2 tons of drugs, 180 firearms, 12,500 counterfeit products, and more than 4 tons of illegal tobacco have been seized by authorities. The joint action follows Operation SpecTor in May 2023, which led to the arrest of 288 dark web vendors and buyers and the seizure of €50.8 million in cash and cryptocurrency. "With traditional marketplaces under increasing pressure, criminal actors are shifting to smaller, single-vendor shops — sites run by individual sellers to avoid marketplace fees and minimize exposure," Europol said. "Illegal drugs remain the top commodity sold on the dark web, but 2023 also saw a surge in prescription drug trafficking and a rise in fraudulent services, including fake hitmen and bogus listings designed to scam buyers." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

After a six year absence, Nike will soon begin selling products directly on Amazon, having previously stopped in 2019 to go it alone. At the same time, the company is reportedly set to increase prices across most of its sneakers and other clothes in the wake of recent US tariffs. Nike stopped selling through Amazon after just two years on the platform, blaming the decision to end sales on Amazon’s inability to crack down on counterfeiters and unlicensed sellers. Just as pivotal was its desire to build its own direct-to-consumer sales platforms in the Nike app and website, which saw it reduce its other retail partners around the same time. Nike goods have continued to appear on Amazon in the years since, but only sold by third-party sellers on the platform. According to The Information those merchants have been told that they have until July 19th to stop selling certain Nike products. “While independent sellers have listed some Nike inventory in our store for many years, Amazon will soon begin sourcing a much wider range of Nike products directly to expand our selection for US customers,” Amazon spokesperson Megan Lagesse told The Verge. “We value independent sellers, and we’re providing an extended period of time for the small number of sellers affected to sell through their inventory of overlapping items.” Nike’s direct-to-consumer strategy seemed to be working well during the covid pandemic, when online shopping spiked, but has wobbled since. In 2023 the company began restoring its relationships with retailers including Foot Locker and Macy’s, and new CEO Elliott Hill, who took up the post in October 2024, has made building back Nike’s wholesale business a key pillar of the company’s plans. CNBC reports that Nike is also set to raise prices across its products from June 1st, likely in response to US tariffs. Adult clothes and shoes priced above $100 will rise by $2 to $10, though cheaper goods and children’s products won’t be affected. Nike will also avoid raising the price of its $115 Air Force 1 shoe and some of its Jordan-branded apparel.

May 21, 2025Ravie LakshmananMalware / Artificial Intelligence Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology, which is headquartered in Beijing, China. As of April 2025, the service has a user base of more than 22 million, per data from the company. "The attack used fake Facebook pages and ads to distribute a malicious file which ultimately led to the execution of a remote access Trojan (RAT), granting attackers remote control of the victim's system and the ability to steal sensitive data," Check Point said. First detected in early 2025, the campaign leads unsuspecting users to a spoofed website such as klingaimedia[.]com or klingaistudio[.]com, where they are asked to create AI-generated images or videos directly in the browser. However, the website does not generate the multimedia count as advertised. Rather, it offers the option to a purported image or video that, in reality, is a malicious Windows executable hidden using double extensions and Hangul Filler (0xE3 0x85 0xA4) characters. The payload is included in a ZIP archive and acts as a loader to launch a remote access trojan and a stealer that then establishes contact with a command-and-control (C2) server and exfiltrates browser-stored credentials, session tokens, and other sensitive data. The loader, besides monitoring for analysis tools such as Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, and Fiddler, makes Windows Registry changes to set up persistence and launches the second-stage by injecting it into a legitimate system process like "CasPol.exe" or "InstallUtil.exe" to evade detection. The second-stage payload, obfuscated using .NET Reactor, is the PureHVNC RAT that contacts a remote server (185.149.232[.]197) and comes with capabilities to steal data from several cryptocurrency wallet extensions installed on Chromium-based browsers. PureHVNC also adopts a plugin-based approach to capture screenshots when window titles matching banks and wallets are opened. Check Point said it identified no less than 70 promoted posts from fake social media pages impersonating Kling AI. It's currently not clear who is behind the campaign, but evidence gathered from the fake website's web page and some of the ads show that they could be from Vietnam. The use of Facebook malvertising techniques to distribute stealer malware has been a tried-and-tested tactic of Vietnamese threat actors, who have been increasingly capitalizing on the popularity of generative AI tools to push malware. Earlier this month, Morphisec revealed that a Vietnamese threat actor has been leveraging fake AI-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile. "This campaign, which impersonated Kling AI through fake ads and deceptive websites, demonstrates how threat actors are combining social engineering with advanced malware to gain access to users' systems and personal data," Check Point said. "With tactics ranging from file masquerading to remote access and data theft, and signs pointing to Vietnamese threat groups, this operation fits into a broader trend of increasingly targeted and sophisticated social media-based attacks." The development comes as The Wall Street Journal reported that Meta is battling an "epidemic of scams," with cyber criminals flooding Facebook and Instagram with various kinds of scams ranging from romance baiting to sketchy bargain ads to fake giveaways. Many of the scam pages are operated from China, Sri Lanka, Vietnam, and the Philippines, the report added. According to Rest of World, phony job ads on Telegram, Facebook, and other social media are being increasingly used to lure young Indonesians and get trafficked to scam compounds in Southeast Asia, from where they are coerced into running investment scams and defraud victims across the world. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    