Incident 1080: Noodlophile Stealer Reportedly Distributed Through Allegedly Fraudulent AI Content Platforms

Description: A campaign reportedly used fake AI video generation sites to distribute malware under the guise of AI-generated content. Promoted via social media, these sites allegedly tricked users into downloading files containing Noodlophile Stealer, a previously unreported infostealer, and in some cases XWorm. The malware harvested credentials and could enable remote access.
Editor Notes: Reportedly fake AI video generator sites (e.g. "Dream Machine") began circulating in early 2025 via Facebook groups and social media lures. Victims were allegedly prompted to upload media and download processed content, which instead delivered malware (Noodlophile Stealer, sometimes XWorm). Morphisec publicly reported the campaign and newly named stealer on 05/08/2025. The full Morphisec threat analysis report can be read at the following URL: https://engage.morphisec.com/hubfs/Noodlophile_Ransomware_ThreatAnalysis.pdf.

Tools

New ReportNew ReportNew ResponseNew ResponseDiscoverDiscoverView HistoryView History

Entities

View all entities
Alleged: Unknown developer of Noodlophile Stealer developed an AI system deployed by Unknown developer of Noodlophile Stealer , Unknown actors operating fraudulent AI-themed websites and Unknown actors distributing malware-as-a-service (MaaS), which harmed Users whose devices were potentially compromised via remote access trojans (RATs) , Targets of credential theft , Small businesses targeted by Noodlophile Stealer and Individuals targeted by Noodlophile Stealer.
Alleged implicated AI systems: zlib , XWorm , WinRAR CLI utility , Windows Registry , Windows , Telegram , RegAsm.exe , Python marshal , PowerShell , Luma Dreammachine , Google , Fake AI content generation platforms , Facebook , Dream Machine , cpython environment , certutil.exe , CapCut , base85 and .NET runtime hosting APIs

Incident Stats

Incident ID
1080
Report Count
5
Incident Date
2025-05-08
Editors
Daniel Atherton
New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms
morphisec.com · 2025

s artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation---from generating art and music to transforming photos into videos. But amid this excitement, cybercrimina…

Fake AI video generators drop new Noodlophile infostealer malware
bleepingcomputer.com · 2025

Fake AI-powered video generation tools are being used to distribute a new information-stealing malware family called 'Noodlophile,' under the guise of generated media content.

The websites use enticing names like the "Dream Machine" and are…

Attackers Lace Fake Generative AI Tools With 'Noodlophile' Malware
darkreading.com · 2025

An attacker is offering supposed generative AI tools to users in Facebook groups, only to give them malware once they upload their media to the fraudulent "tool."

Security vendor Morphisec detailed a campaign on May 8 in which threat actors…

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms
gbhackers.com · 2025

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a lure.

Dubbed Noodlophile Stealer, this previously undocumented infostealer targets unsuspecting users by exploiting their enthusiasm for AI-p…

Fake image-to-video AI sites deliver novel ‘Noodlophile’ infostealer
scworld.com · 2025

Fake AI image generators advertised on Facebook are leading to a new infostealer called "Noodlophile," Morphisec reported.

The Morphisec researchers discovered Facebook pages impersonating the legitimate text-to-video AI service Luma Dream …

Variants

A "variant" is an incident that shares the same causative factors, produces similar harms, and involves the same intelligent systems as a known AI incident. Rather than index variants as entirely separate incidents, we list variations of incidents under the first similar incident submitted to the database. Unlike other submission types to the incident database, variants are not required to have reporting in evidence external to the Incident Database. Learn more from the research paper.
Previous IncidentNext Incident