The DOT Report: Fake Ads Hit 22 Million Facebook Users, Critical Windows Server Active Directory Compromise

The DOT Report is a monthly news series from DOT Security that covers the latest headlines and biggest stories in the cybersecurity field. These stories give us a chance to discuss technical innerworkings as well as the very real-world impact of cybersecurity.

Digging into these stories allows us to analyze the real-world effects of cyber incidents, underscoring the importance of a robust cybersecurity strategy.

Stay updated on everything cybersecurity, from breaking news and major developments, to emerging tech and best practices, by subscribing to DOT Security.

Fake Kling AI Facebook Ads Push RAT Malware to 22 Million Potential Victims

A new malware campaign is hijacking the viral rise of Kling AI, a text-to-video generation tool, to deliver stealthy remote access trojans (RATs) to unsuspecting users. Security researchers at Zscaler have uncovered a widespread scheme that uses fake Facebook ads to lure victims to cloned Kling websites.

Once on these lookalike sites, users are prompted to download what they believe is the Kling desktop app. Instead, they receive a copy of PureHVNC — a hidden VNC-based trojan that gives attackers complete, invisible control over the infected system. This kind of access allows attackers to steal login credentials, access banking portals, and drain crypto wallets, all without alerting the user.

Researchers identified dozens of cloned sites, and one domain alone received over 22 million hits, with the U.S., India, and the Philippines as the top geographies.

The scam’s efficacy hinges on trust, and the attackers are exploiting Facebook’s ad platform to build that trust. In many cases, the fake ads are run through verified Business accounts, which makes them appear legitimate even to cautious users. Meta has been taking down the ads, but the rapid rotation of domains means new campaigns are constantly going live.

If you're looking to experiment with tools like Kling AI, skip the ad links. Go directly to the official website and avoid downloading any “desktop apps” that don’t come from a verified source.

For enterprise security teams, this is a good time to remind staff, especially creatives, that social media links to trending AI tools are a growing threat vector.

Russian Hackers Targeting Ukraine Supporters

The NSA has revealed that Russia’s military intelligence agency, the GRU, is actively hacking U.S. and European organizations involved in delivering aid to Ukraine. The campaign is focused on tracking the frequency and delivery of aid being sent to Ukraine.

According to the report, GRU operatives have been targeting logistics firms, defense contractors, and NGOs through spear phishing emails and compromised home routers. These attacks are designed to quietly collect intelligence on humanitarian and military supply chains.

In fact, the main target was a series of over 10,000 internet-connected surveillance cameras across Eastern and Central Europe — a move likely intended to observe actual shipments and convoy movement in real time.

Organizations tied to the Ukraine relief effort are being urged to tighten remote access controls and audit both VPN and router activity, particularly for remote workers. The NSA also recommends disabling port forwarding on home devices and segmenting networks to reduce exposure.

This campaign reminds us of how big a role cyber is playing in international politics.

Critical Windows Server Vulnerability Enables Active Directory Compromise

A newly discovered vulnerability in Windows Server 2025 is raising significant concerns among cybersecurity professionals. The flaw resides in the delegated Managed Service Accounts (dMSAs) feature, intended to streamline service account management in Active Directory (AD).

However, researchers have found that this feature can be exploited to grant attackers elevated privileges across an Active Directory environment.

The vulnerability allows an attacker with minimal permissions—specifically, the ability to create or modify dMSAs—to impersonate any user in the domain, including administrators. This is achieved by manipulating certain attributes of a dMSA to simulate a migration from an existing account.

The Key Distribution Center (KDC) then issues authentication tickets that grant the dMSA the same privileges as the targeted account. Alarmingly, this attack vector is viable even in environments that do not actively use dMSAs. The mere presence of a Windows Server 2025 domain controller enables the feature by default.

While a patch is being developed, the current recommendations are as follows:

• Restrict the ability to create or modify dMSAs to trusted administrators.
• Audit existing permissions on organizational units (OUs) to identify and limit users with "Create all child objects" rights.
• Monitor for unusual changes to dMSA attributes, particularly those related to account migration.
• Utilize available scripts and tools to detect potential exploitation attempts.

Organizations relying on Active Directory should prioritize reviewing their configurations and permissions to mitigate this vulnerability until an official patch is released.

Midwestern Telecommunications Firm Confirms Cyber Incident as Cause of Outages

In mid-May, regional wireless provider Cellcom confirmed it had been the target of a cyberattack that significantly disrupted voice and text messaging services across parts of northeastern Wisconsin and Michigan’s Upper Peninsula. The incident, which began on May 14, left thousands of customers unable to send texts or make calls for several days.

While the company has not disclosed technical details of the attack, Cellcom stated that no customer data appears to have been stolen, and that billing and mobile data services were not affected. The outage primarily impacted SMS and voice functionality, which took nearly five days to fully restore.

The incident sparked concern among rural customers and businesses who rely heavily on Cellcom’s infrastructure for daily communication. In regions where competition is limited, even a partial outage can carry outsized consequences — from missed emergency alerts to disrupted business operations.

While Cellcom has not confirmed whether ransomware was involved, the FBI’s involvement suggests the attack was deliberate and sophisticated. The company says it will share more once the forensic investigation concludes.

In the meantime, this is a stark reminder that enterprise cybersecurity can protect everyday individuals.

Signing Off on The DOT Report

From stealthy remote access trojans hiding behind viral AI ads to a quiet Russian campaign aimed at tracking aid into Ukraine, May’s headlines serve as a sharp reminder: cyber threats are evolving in both scale and subtlety. While some actors aim to disrupt, others are gathering intelligence, blending espionage with digital infrastructure in ways that can be hard to spot until it’s too late.

Even features designed to simplify IT management—like Windows Server’s new dMSAs—can become dangerous when their permissions aren’t fully understood.

For businesses and individuals alike, the need for proactive security measures, vigilant monitoring, and layered defenses has never been clearer.

Subscribe to DOT Security and stay up to date on everything cybersecurity, from the latest headlines to the newest technologies and most recent regulations.