Associated Incidents
As AI tools boom in popularity, cyberthieves are exploiting the excitement with fake AI video editing platforms that lure users into downloading malware.
At the center of this disturbing new trend is a previously unknown infostealer called Noodlophile Stealer, now being secretly distributed through fraudulent websites promoted on social media.
Researchers from cybersecurity firm Morphisec have uncovered the scheme's full extent. They reveal that attackers are using realistic AI-themed platforms to trick users, especially content creators and small businesses, into infecting themselves with malware.
How the scam works: 'Free AI tools' that cost you everything
The trap begins on Facebook, where well-designed posts and pages promote fake AI services. One post alone racked up over 62,000 views, showing how wide the scam has spread. Fake AI tool names like "Dream Machine AI" and "CapCut AI" are commonly used to draw attention.
"Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms -- often advertised via legitimate-looking Facebook groups and viral social media campaigns," said Shmuel Uzan, a researcher at Morphisec.
When users visit these scam websites, they're prompted to upload an image or video, believing an AI will generate content for them. But instead of receiving an edited video, they're given a ZIP file named "VideoDreamAI.zip." Inside is a sneaky file: "Video Dream MachineAI.mp4.exe" is disguised to look like a video but is a malicious program.
SEE: Malware Response Checklist (TechRepublic Premium)
What is Noodlophile Stealer?
The Noodlophile Stealer is a new malware strain. It steals browser passwords, cookies, and crypto wallet data. In some cases, it installs a remote access trojan (RAT) called XWorm to let attackers take complete control of the infected device.
"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports..." Morphisec stated in its report.
Once the fake video file is run, it launches a real-looking but tampered version of CapCut.exe. Hidden inside are multiple layers of malware loaders and scripts.
Some files involved in the infection process include:
- CapCut.exe: A large, real-looking binary embedding malicious .NET code.
- AICore.dll: A helper that silently runs system commands.
- Document.docx: A disguised batch file that downloads more malware.
- Document.pdf: A Base64-encoded archive (not really a PDF).
- Meta (later renamed images.exe): A RAR extraction tool used to unpack the payload.
The final Python script (srchost.exe) downloads and launches the actual Noodlophile malware, stealing sensitive data and exfiltrating it via Telegram bots.
The malware uses advanced techniques to avoid detection, like hiding files, obfuscating code, and pinging Google multiple times to check for an internet connection before proceeding. Morphisec reported that the malware eventually downloads a Python-based component that:
- Steals credentials and cookies.
- Injects additional malware via shellcode or PE hollowing.
- Establishes persistence by modifying the Windows Registry.
Who's behind it?
Morphisec researchers traced mentions of "Noodlophile" across hacker forums, where it's being sold under malware-as-a-service (MaaS) packages. It often comes bundled with tools labeled "Get Cookie + Pass," used for hijacking user accounts.
Based on the language used and linked Facebook and GitHub profiles, the developer is believed to be from Vietnam. On GitHub, the developer is self-described as a "passionate Malware Developer from Vietnam." The account was created on March 16.
How to stay safe
- Avoid downloading executables from unknown AI tool websites.
- Check file extensions. A file named "video.mp4.exe" is a red flag.
- Be cautious of too-good-to-be-true AI offers on social media.
As AI tools become ubiquitous, cybercriminals are adapting quickly. This campaign shows how easily hackers exploit public excitement over new tech, turning curiosity into a security nightmare.