MalwareUsed by 1 actor

STARKVEIL

STARKVEIL is a Rust-based Windows dropper associated with the Vietnamese threat group UNC6032. Public reporting describes it as being distributed via fake AI video generator and related AI-tool websites promoted through Facebook and LinkedIn ads, including impersonation of Luma AI and Kling AI. In the documented UNC6032 activity, STARKVEIL was used as the initial dropper and was followed by Python loaders that deployed multiple payloads, including XWORM, FROSTRIFT, and GRIMPULL. Reported post-infection capabilities in this infection chain included theft of browser cookies and cryptocurrency wallet extension data. The broader UNC6032 campaign reportedly targeted marketing agencies, media outlets, and small businesses, and reached large numbers of users in the EU. High-confidence aliases provided in the content only identify this malware as STARKVEIL.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC6032

STARKVEIL Dropper Windows UNC6032 (Luma AI, Kling AI) Drops XWORM, FROSTRIFT, GRIMPULL.

via pillarpillar.security

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583Acquire InfrastructureEvidence1

TacticResource Development

Seven campaigns used paid search ads or search engine poisoning. The technique is straightforward: buy an ad for "install [AI tool]" and serve a convincing clone.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence1

TacticInitial Access

Five campaigns used standalone fake websites distributed through SEO manipulation or social media advertising.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

pillarNews

Mar 10, 2026

AI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem

Windows dropper used in UNC6032 fake AI video site campaigns to deploy follow-on payloads including XWORM and FROSTRIFT.

vulnuNews

May 30, 2025

🎓️ Vulnerable U | #118

Rust-based dropper used to deliver multiple payloads, including information stealers, as part of a fake AI video generator campaign.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.