Date: 05/29/2025
Severity: Medium
Summary
Since mid-2024, the cyber threat group UNC6032 has exploited public interest in AI tools by creating fake websites that mimic popular AI video generators like Luma AI and Canva Dream Lab. These fraudulent sites are promoted through deceptive ads on platforms such as Facebook and LinkedIn, distributing malware including Python-based infostealers and backdoors. The campaign has led to the theft of login credentials, cookies, credit card data, and social media information via the Telegram API. The attackers are believed to have ties to Vietnam and continue to evolve their tactics across multiple platforms to evade detection.
Indicators of Compromise (IOC) List
URL/Domain | strokes.zapto.org artisanaqua.ddnsking.com strokes.zapto.org creativepro.ai boostcreatives.ai creativepro-ai.com boostcreatives-ai.com creativespro-ai.com klingxai.com lumaai-labs.com klings-ai.com luma-dream.com quirkquestai.com lumaai-dream.com lumaai-lab.com lumaaidream.com lumaailabs.com luma-dreamai.com ai-kling.com dreamai-luma.com aikling.ai aisoraplus.com lumalabsai.in canvadream-lab.com canvadreamlab.com adobe-express.com canva-dreamlab.com canvadreamlab.ai canvaproai.com capcutproai.com luma-aidream.com luma-dreammachine.com |
Hash | 8863065544df546920ce6189dd3f99ab3f5d644d3d9c440667c1476174ba862b
d3f50dc61d8c2be665a2d3933e2668448edc31546fea84517f8e61237c6d2e5d
839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b
4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959
8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc
a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3
1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb
dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3
e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | domainname like "capcutproai.com" or siteurl like "capcutproai.com" or url like "capcutproai.com" or domainname like "luma-dreamai.com" or siteurl like "luma-dreamai.com" or url like "luma-dreamai.com" or domainname like "klings-ai.com" or siteurl like "klings-ai.com" or url like "klings-ai.com" or domainname like "creativepro-ai.com" or siteurl like "creativepro-ai.com" or url like "creativepro-ai.com" or domainname like "boostcreatives.ai" or siteurl like "boostcreatives.ai" or url like "boostcreatives.ai" or domainname like "quirkquestai.com" or siteurl like "quirkquestai.com" or url like "quirkquestai.com" or domainname like "creativespro-ai.com" or siteurl like "creativespro-ai.com" or url like "creativespro-ai.com" or domainname like "canva-dreamlab.com" or siteurl like "canva-dreamlab.com" or url like "canva-dreamlab.com" or domainname like "canvaproai.com" or siteurl like "canvaproai.com" or url like "canvaproai.com" or domainname like "lumaai-dream.com" or siteurl like "lumaai-dream.com" or url like "lumaai-dream.com" or domainname like "lumaailabs.com" or siteurl like "lumaailabs.com" or url like "lumaailabs.com" or domainname like "luma-dream.com" or siteurl like "luma-dream.com" or url like "luma-dream.com" or domainname like "luma-dreammachine.com" or siteurl like "luma-dreammachine.com" or url like "luma-dreammachine.com" or domainname like "boostcreatives-ai.com" or siteurl like "boostcreatives-ai.com" or url like "boostcreatives-ai.com" or domainname like "lumaaidream.com" or siteurl like "lumaaidream.com" or url like "lumaaidream.com" or domainname like "canvadreamlab.ai" or siteurl like "canvadreamlab.ai" or url like "canvadreamlab.ai" or domainname like "aisoraplus.com" or siteurl like "aisoraplus.com" or url like "aisoraplus.com" or domainname like "canvadream-lab.com" or siteurl like "canvadream-lab.com" or url like "canvadream-lab.com" or domainname like "canvadreamlab.com" or siteurl like "canvadreamlab.com" or url like "canvadreamlab.com" or domainname like "lumalabsai.in" or siteurl like "lumalabsai.in" or url like "lumalabsai.in" or domainname like "ai-kling.com" or siteurl like "ai-kling.com" or url like "ai-kling.com" or domainname like "strokes.zapto.org" or siteurl like "strokes.zapto.org" or url like "strokes.zapto.org" or domainname like "artisanaqua.ddnsking.com" or siteurl like "artisanaqua.ddnsking.com" or url like "artisanaqua.ddnsking.com" or domainname like "strokes.zapto.org" or siteurl like "strokes.zapto.org" or url like "strokes.zapto.org" or domainname like "creativepro.ai" or siteurl like "creativepro.ai" or url like "creativepro.ai" or domainname like "klingxai.com" or siteurl like "klingxai.com" or url like "klingxai.com" or domainname like "lumaai-labs.com" or siteurl like "lumaai-labs.com" or url like "lumaai-labs.com" or domainname like "lumaai-lab.com" or siteurl like "lumaai-lab.com" or url like "lumaai-lab.com" or domainname like "dreamai-luma.com" or siteurl like "dreamai-luma.com" or url like "dreamai-luma.com" or domainname like "aikling.ai" or siteurl like "aikling.ai" or url like "aikling.ai" or domainname like "adobe-express.com" or siteurl like "adobe-express.com" or url like "adobe-express.com" or domainname like "luma-aidream.com" or siteurl like "luma-aidream.com" or url like "luma-aidream.com" |
Detection Query : | sha256hash IN ("e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822","a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3","8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc","839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b","4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959","1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb","8863065544df546920ce6189dd3f99ab3f5d644d3d9c440667c1476174ba862b","d3f50dc61d8c2be665a2d3933e2668448edc31546fea84517f8e61237c6d2e5d","dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3")
|
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites