In the ever-evolving landscape of cybercrime, attackers are once again proving their adaptability by exploiting the latest technological trends. The rise of AI-powered content creation has brought both innovation and risk, as evidenced by a newly uncovered threat: Noodlophile Stealer a stealthy and highly modular info-stealing malware now being distributed through fake AI video generation platforms. These malicious campaigns, targeting content creators and small businesses, mask their intentions behind what appears to be legitimate AI tools, luring victims into downloading their own compromise.
As generative AI tools for video, music, and image transformation have gone viral, so too has the criminal interest in weaponizing public excitement. Unlike traditional phishing lures or software cracks, the Noodlophile Stealer campaign leverages fabricated AI platforms promoted on social media, including Facebook groups with tens of thousands of followers. Victims are invited to upload media and receive AI-generated content only to unknowingly download a malicious payload.
This tactic marks a significant evolution in social engineering: AI hype as a malware vector.
Anatomy of the Attack: From Fake AI Tool to Full System Compromise
Step 1: Social Engineering via Facebook
Malicious actors use fake AI platform promotions with names like “Dream Machine” or “CapCut AI” across viral posts and groups. One post observed gathered over 62,000 views, drawing users to download the “latest AI video converter.”
Step 2: Landing on a Fake Website
Once on the site, users are instructed to upload media files and await processing. A fake loading screen simulates AI work before prompting the user to download a file usually a ZIP archive, ostensibly containing the result.
Step 3: Malicious Payload Delivery
Instead of a video, users download VideoDreamAI.zip, which includes:
- A deceptively named executable:
Video Dream MachineAI.mp4.exe CapCut.exe: A 140MB binary embedding .NET malwareAICore.dll: A command execution helper- A hidden folder with obfuscated scripts and payloads
Step 4: Execution and Persistence
- The executable launches
CapCut.exe, which in turn invokes a .NET loader. - System checks ensure connectivity; the malware then reconstructs disguised files into scripts.
- The malware uses
certutil.exeto decodeDocument.pdf, which isn’t a PDF at all but a Base64 RAR archive. - Final-stage payloads include:
- Noodlophile Stealer: Steals browser credentials, cookies, tokens, and crypto wallets.
- XWorm RAT (variant 5.2): Provides backdoor access, persistence, and lateral movement through shellcode injection or PE hollowing.
Threat Actor Profile and Infrastructure
Open-source intelligence links the malware’s origin to Vietnamese-speaking developers active in malware-as-a-service (MaaS) forums. Facebook profiles associated with Noodlophile offer “Get Cookie + Pass” services and credential theft kits. The use of Telegram bots for data exfiltration further supports its sophistication.
Payloads are obfuscated using:
- Marshal + zlib + base85 encoding
- Dummy operations (e.g., 10,000 lines of
1 / int(0)) to break analysis tools
What Makes Noodlophile Unique?
- New Entrant: Noodlophile was previously unlisted in known malware databases.
- AI-Driven Lure: First major campaign using fake AI as primary bait.
- Modular and Layered: Employs native binaries, embedded .NET loaders, LOLBins, and obfuscated Python.
- Signed Malware: Utilizes certificates from Winauth for legitimacy.
- Multistage Infection Chain: Highly persistent, stealthy, and evasive.
10 Cybersecurity Best Practices to Prevent Such Attacks
- Educate Teams About Social Engineering Trends
Awareness campaigns must include emerging lures like AI tools. - Avoid Downloading Tools from Unverified Sources
Always download from official domains, not third-party groups or forums. - Use Threat Intelligence Feeds
Subscribe to industry threat intel to stay ahead of trending malware tactics. - Implement Application Whitelisting
Prevent execution of unauthorized scripts and binaries. - Deploy Endpoint Detection and Response (EDR)
EDR platforms can catch behavior anomalies missed by legacy antivirus. - Monitor Social Media for Brand Impersonation
Track AI brand mentions to spot fake impersonators early. - Restrict Script Execution with GPO
Lock down PowerShell, Python, and batch scripts for non-admin users. - Leverage DNS Filtering
Block access to known malicious domains, often linked in fake campaigns. - Regular Patch Management
Update browsers and runtime environments (like .NET and Python) to limit vulnerabilities. - Perform Regular Cyber Drills
Simulate multi-stage threats and train employees to recognize sophisticated phishing attempts.
Conclusion
The Noodlophile Stealer represents a new wave of cyber threats capitalizing on the generative AI boom. Its multi-layered attack chain, evasive delivery methods, and focus on social media as a distribution vector underscore a growing need for vigilance in this space. As organizations and individuals embrace AI, the line between innovation and exploitation continues to blur.
Cyber defenders must evolve just as quickly harnessing AI, automation, and collaboration to detect and neutralize threats that now come dressed as progress.
