Skip to main content
Mallory
Back to threat actors
3 malware families

UNC6032

Also known asUNC6032

UNC6032 is an active Vietnam-linked cybercriminal threat actor that has been active since at least mid-2024. The group is associated with large-scale social media malvertising campaigns that use fake AI video generator and AI tool websites to distribute infostealers and other malware. Reported lures include fake versions of Luma AI, Canva Dream Lab, and Kling AI, promoted through thousands of ads on Facebook and LinkedIn; one campaign reportedly reached 2.3 million users in the EU alone. Public reporting also describes UNC6032 as flooding Facebook and LinkedIn with fake AI video generator ads over the past year. UNC6032 has been reported targeting marketing agencies, media outlets, and small businesses. In observed campaigns, the group used fake AI video generator websites as delivery infrastructure and employed a Rust-based malware chain including the STARKVEIL dropper and payloads such as GRIMPULL, XWORM, and FROSTRIFT. Google Cloud has profiled the actor as using AI video generator websites to distribute infostealers. The content identifies the group as Vietnamese/Vietnam-linked and financially motivated; no state affiliation is stated in the provided material. Known alias in the provided content: UNC6032.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
TA0001
Initial Access
2 techniques
T1189
Drive-by Compromise
T1566
Phishing
T1566.002
Spearphishing Link
TA0005
Stealth
1 technique
T1036
Masquerading
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
FROSTRIFTFROSTRIFT Backdoor Windows UNC6032 Persistent access, Tor-based C2.1Mar 24, 2026
STARKVEILSTARKVEIL Dropper Windows UNC6032 (Luma AI, Kling AI) Drops XWORM, FROSTRIFT, GRIMPULL.1Mar 24, 2026
XWormXWORM RAT/Backdoor Windows UNC6032 Full remote access, C2 via Telegram.1Mar 24, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
pillarNews
Mar 10, 2026
AI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem

Operated fake AI-themed websites promoted via Facebook and LinkedIn ads to impersonate AI video tools and deliver malware at scale.

Read more
tanium blogNews
Jul 1, 2025
CTI Roundup: UNC6032, APT41, Void Blizzard | Tanium
Read more
risky biz rssNews
May 30, 2025
Risky Bulletin: Windows Update will soon deliver individual app updates

UNC6032 is a threat actor group with a Vietnam nexus, active since mid-2024, distributing infostealers via fake AI video generator websites promoted on social media.

Read more
vulnuNews
May 30, 2025
🎓️ Vulnerable U | #118

UNC6032 is a Vietnamese cybercriminal group distributing Rust-based malware via fake AI video generator ads on social media, targeting marketing agencies, media outlets, and small businesses to steal credentials and crypto assets.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.