Cybercriminals are exploiting the surge in AI video generation by distributing malware through fake websites and installers that impersonate popular AI tools. A Vietnam-based group, UNC6032, has been running a campaign since at least mid-2024, promoting over 30 fraudulent sites via thousands of Facebook and LinkedIn ads, which have collectively reached millions of users. These fake sites mimic well-known prompt-to-video AI platforms such as Luma AI, Canva Dream Lab, and Kling AI, luring users with offers of free or advanced AI video generation. Users are prompted to download files disguised as AI-generated videos, which are actually malware-laden executables. The malware includes infostealers, backdoors, and ransomware such as CyberLock and Lucky_Gh0$t, as well as the destructive Numero malware. The attack chain features the STARKVEIL dropper, which deploys multiple payloads including GRIMPULL, XWORM, and FROSTRIFT, targeting login credentials, cookies, credit card data, cryptocurrency wallets, and browser extensions. These payloads establish persistence via AutoRun registry keys and can facilitate further attacks. Ransom notes have demanded $50,000 in Monero. Victims include businesses, small creators, and users across various industries and regions. In addition to malware threats, the proliferation of AI-generated content online, including political fanfiction videos that mimic breaking news, is making it increasingly difficult for users to distinguish between real and fake media.