Cybercriminals Use Fake AI Tools to Distribute New Malware ‘Noodlophile Stealer’
Researchers at Morphisec have issued a warning about cybercriminals exploiting public interest in artificial intelligence by disguising malware as free AI tools. These fake tools are being used to deliver a newly discovered information-stealing malware named Noodlophile Stealer.
Attackers are promoting fake AI video tools through viral social media posts and Facebook groups. Unsuspecting users, often looking for free AI video or image editors, are lured into downloading Noodlophile Stealer. Once installed, the malware collects browser login credentials, cryptocurrency wallet data, and may also install remote access tools such as XWorm.
Morphisec researchers stated that Noodlophile is a previously undocumented malware. It is currently being sold on underground cybercrime forums through malware-as-a-service models. These packages often include credential theft features and are marketed by a developer believed to be based in Vietnam. The same individual has been seen actively engaging in AI-themed posts on Facebook to attract victims.
Fraudulent tools with names like “Dream Machine” or “CapCut” are promoted through scam websites and social media. Morphisec identified posts drawing tens of thousands of views, luring users with promises of AI-generated video or image content. Instead of receiving functional software, users end up installing malware disguised as AI-related applications.
In one such case, victims upload media to a scam website and are prompted to download a ZIP archive called “VideoDreamAI.zip.” Inside the archive is a fake video file named “Video Dream MachineAI.mp4.exe.” Although it appears to be a video file, it is actually a Windows executable designed to look legitimate.
According to Morphisec’s report, the file is a 32-bit C++ program signed with a certificate generated using Winauth. It uses deceptive naming and a repurposed version of the legitimate CapCut video editing software (version 445.0) to appear harmless and bypass basic security checks.
Once launched, this executable searches for and runs another file, “CapCut.exe,” located in its directory. This process activates a .NET loader named “CapCutLoader,” which then retrieves and executes a Python-based malware payload called “srchost.exe.”
The final payload, Noodlophile Stealer, then activates. It extracts stored credentials from web browsers, accesses data from cryptocurrency wallets, and in some cases installs XWorm to allow remote access to the victim’s system.
This campaign is a stark reminder of how attackers continue to exploit trending technology themes to deceive users. Security professionals are advised to educate users about these deceptive tactics and implement protection tools capable of identifying such multi-stage infections.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
