Risk actors have been noticed leveraging faux synthetic intelligence (AI)-powered instruments as a lure to entice customers into downloading an info stealer malware dubbed Noodlophile.
“As a substitute of counting on conventional phishing or cracked software program websites, they construct convincing AI-themed platforms – typically marketed through legitimate-looking Fb teams and viral social media campaigns,” Morphisec researcher Shmuel Uzan mentioned in a report printed final week.
Posts shared on these pages have been discovered to draw over 62,000 views on a single put up, indicating that customers searching for AI instruments for video and picture modifying are the goal of this marketing campaign. Among the faux social media pages recognized embrace Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros.
Customers who land on the social media posts are urged to click on on hyperlinks that publicize AI-powered content material creation providers, together with movies, logos, pictures, and even web sites. One of many bogus web sites masquerades as CapCut AI, providing customers an “all-in-one video editor with new AI options.”
As soon as unsuspecting customers add their picture or video prompts on these websites, they’re then requested to obtain the supposed AI-generated content material, at which level a malicious ZIP archive (“VideoDreamAI.zip”) is downloaded as a substitute.
Current inside the file is a misleading file named “Video Dream MachineAI.mp4.exe” that kick-starts the an infection chain by launching a legit binary related to ByteDance’s video editor (“CapCut.exe”). This C++-based executable is used to run a .NET-based loader named CapCutLoader that, in flip, finally masses a Python payload (“srchost.exe”) from a distant server.
The Python binary paves the best way for the deployment of Noodlophile Stealer, which comes with capabilities to reap browser credentials, cryptocurrency pockets info, and different delicate knowledge. Choose situations have additionally bundled the stealer with a distant entry trojan like XWorm for entrenched entry to the contaminated hosts.
The developer of Noodlophile is assessed to be of Vietnamese origin, who, on their GitHub profile, claims to be a “passionate Malware Developer from Vietnam.” The account was created on March 16, 2025. It is price mentioning that the Southeast Asian nation is dwelling to a thriving cybercrime ecosystem that has a historical past of distributing numerous stealer malware households focusing on Fb.
Dangerous actors weaponizing public curiosity in AI applied sciences to their benefit will not be a brand new phenomenon. In 2023, Meta mentioned it took down greater than 1,000 malicious URLs from being shared throughout its providers that have been discovered to leverage OpenAI’s ChatGPT as a lure to propagate about 10 malware households since March 2023.
The disclosure comes as CYFIRMA detailed one other new .NET-based stealer malware household codenamed PupkinStealer that may steal a variety of knowledge from compromised Home windows methods and exfiltrate it to an attacker-controlled Telegram bot.
“With no particular anti-analysis defenses or persistence mechanisms, PupkinStealer relies on simple execution and low-profile conduct to keep away from detection throughout its operation,” the cybersecurity firm mentioned. “PupkinStealer exemplifies a easy but efficient type of data-stealing malware that leverages widespread system behaviors and extensively used platforms to exfiltrate delicate info.”
