Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a lure.
Dubbed Noodlophile Stealer, this previously undocumented infostealer targets unsuspecting users by exploiting their enthusiasm for AI-powered content creation tools.
Disguised as legitimate services promising to transform images into videos, these fraudulent platforms-often promoted through viral social media campaigns and Facebook groups with thousands of views-trick users into downloading malicious payloads that harvest browser credentials, cryptocurrency wallets, and other sensitive data.
.png
)
In many instances, the malware also deploys a remote access trojan (RAT) like XWorm, granting attackers deeper control over compromised systems.
Cybercriminals Exploit AI Hype
The attack chain begins when users, lured by advertisements on platforms mimicking popular tools like Luma Dream Machine or CapCut, upload personal images or videos to these fake websites.
After a deceptive loading screen, victims are prompted to download their “processed” content, which is actually a malicious ZIP archive such as VideoDreamAI.zip.
Inside, a deceptive executable named Video Dream MachineAI.mp4.exe masquerades as a video file through clever filename manipulation.
Upon execution, this 32-bit C++ binary-repurposed from a legitimate version of CapCut-initiates a multi-stage infection process.
It launches CapCut.exe, a 140MB C++ wrapper embedding .NET malicious code, designed to evade static scanners through its sheer size and modular structure.
According to Morphisec Report, This loader verifies internet connectivity by pinging Google up to 10 times, renames disguised files like Document.docx to install.bat, and triggers further infection stages involving Base64-encoded archives and Python payloads fetched from remote servers.
The final payload, Noodlophile Stealer, exfiltrates data via Telegram bots, while XWorm facilitates propagation through techniques like PE hollowing into legitimate processes like RegAsm.exe or direct shellcode injection, enhancing evasion.
What sets this campaign apart is its exploitation of AI as a social engineering vector, targeting a trusting audience of creators and small businesses exploring AI for productivity.
Unlike traditional phishing or pirated software lures, these attackers capitalize on the novelty and perceived legitimacy of AI tools.
Open-source intelligence (OSINT) investigations reveal the developer behind Noodlophile, likely of Vietnamese origin based on social media indicators, actively markets this malware on cybercrime forums as part of a malware-as-a-service (MaaS) model.
The sophisticated obfuscation-combining Base64 encoding, password-protected archives, and memory-based execution-makes detection and analysis challenging, while persistence mechanisms via Windows Registry keys ensure long-term access.
This campaign underscores the evolving tactics of cybercriminals who adapt to emerging tech trends, turning public curiosity into a gateway for data theft and system compromise.
As AI adoption surges, users must remain vigilant, verifying the authenticity of platforms and avoiding unsolicited downloads, while organizations like Morphisec advocate for proactive defenses like Automated Moving Target Defense (AMTD) to neutralize such stealthy threats before execution.
Indicators of Compromise (IOCs)
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
