UNC6032
UNC6032 is an active Vietnam-linked cybercriminal threat actor that has been active since at least mid-2024. The group is associated with large-scale social media malvertising campaigns that use fake AI video generator and AI tool websites to distribute infostealers and other malware. Reported lures include fake versions of Luma AI, Canva Dream Lab, and Kling AI, promoted through thousands of ads on Facebook and LinkedIn; one campaign reportedly reached 2.3 million users in the EU alone. Public reporting also describes UNC6032 as flooding Facebook and LinkedIn with fake AI video generator ads over the past year. UNC6032 has been reported targeting marketing agencies, media outlets, and small businesses. In observed campaigns, the group used fake AI video generator websites as delivery infrastructure and employed a Rust-based malware chain including the STARKVEIL dropper and payloads such as GRIMPULL, XWORM, and FROSTRIFT. Google Cloud has profiled the actor as using AI video generator websites to distribute infostealers. The content identifies the group as Vietnamese/Vietnam-linked and financially motivated; no state affiliation is stated in the provided material. Known alias in the provided content: UNC6032.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operated fake AI-themed websites promoted via Facebook and LinkedIn ads to impersonate AI video tools and deliver malware at scale.
UNC6032 is a threat actor group with a Vietnam nexus, active since mid-2024, distributing infostealers via fake AI video generator websites promoted on social media.
UNC6032 is a Vietnamese cybercriminal group distributing Rust-based malware via fake AI video generator ads on social media, targeting marketing agencies, media outlets, and small businesses to steal credentials and crypto assets.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.