MalwareUsed by 1 actor

FROSTRIFT

FROSTRIFT is a Windows backdoor associated with the Vietnamese threat group UNC6032. Reporting describes it as providing persistent access and using Tor-based command-and-control. It was observed in campaigns in which UNC6032 used fake AI video generator advertisements on Facebook and LinkedIn to lure victims to malicious sites impersonating services such as Luma AI, Canva Dream Lab, and Kling AI. In that activity, a Rust-based dropper named STARKVEIL was used alongside Python loaders to deliver multiple payloads, including GRIMPULL, XWORM, and FROSTRIFT. The broader campaign targeted marketing agencies, media outlets, and small businesses. High-confidence details in the provided content identify FROSTRIFT specifically as a backdoor for Windows with persistence and Tor-based C2, delivered as part of UNC6032's fake AI-tool malware operations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC6032

FROSTRIFT Backdoor Windows UNC6032 Persistent access, Tor-based C2.

via pillarpillar.security

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583Acquire InfrastructureEvidence1

TacticResource Development

Seven campaigns used paid search ads or search engine poisoning. The technique is straightforward: buy an ad for "install [AI tool]" and serve a convincing clone.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence1

TacticInitial Access

Five campaigns used standalone fake websites distributed through SEO manipulation or social media advertising.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

pillarNews

Mar 10, 2026

AI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem

Windows backdoor delivered in UNC6032 campaigns to provide persistent access via Tor-based C2.

vulnuNews

May 30, 2025

🎓️ Vulnerable U | #118

Information stealer malware used to exfiltrate browser cookies and crypto wallet data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.