https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms
Cybersecurity researchers have discovered a sophisticated malware campaign using fake artificial intelligence tools to distribute an information-stealing malware called Noodlophile. The operation, which has reached over 62,000 views on a single Facebook post, specifically targets users searching for AI-powered video and image editing applications.
“Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns,” explained Morphisec researcher Shmuel Uzan in a report published last week.
The threat actors have created multiple deceptive social media pages, including “Luma Dreammachine Al,” “Luma Dreammachine,” and “gratistuslibros,” which advertise AI-powered content creation services for videos, logos, images, and websites. One particularly convincing fraudulent site impersonates CapCut AI, claiming to offer an “all-in-one video editor with new AI features.”
The infection process begins when victims upload their images or videos to these fake AI tools. Rather than receiving the AI-generated content they expect, users are prompted to download what turns out to be a malicious ZIP archive named “VideoDreamAI.zip.” Inside this archive is a disguised executable file (“Video Dream MachineAI.mp4.exe”) that launches a legitimate ByteDance video editor application (“CapCut.exe”) to avoid suspicion while simultaneously executing malicious code.
This initial executable triggers a multi-stage infection chain involving a .NET-based loader called CapCutLoader, which ultimately downloads and executes a Python payload (“srchost.exe”) from a remote server. The final payload deploys the Noodlophile Stealer, designed to harvest browser credentials, cryptocurrency wallet information, and other sensitive data from infected systems. Some instances have been found bundled with XWorm, a remote access trojan that provides attackers with persistent access to compromised devices.
Researchers believe the developer of Noodlophile is likely based in Vietnam. The attacker’s GitHub profile, created on March 16, 2025, explicitly identifies them as a “passionate Malware Developer from Vietnam.” Security experts note that Vietnam has become a hub for cybercriminal operations specializing in stealer malware that frequently targets Facebook users.
This campaign represents part of a growing trend of cybercriminals exploiting public enthusiasm for AI technologies. Meta previously reported removing more than 1,000 malicious URLs from its platforms that used OpenAI’s ChatGPT as bait to distribute various malware families since March 2023.
The discovery coincides with CYFIRMA’s recent report on another emerging threat called PupkinStealer, a .NET-based malware that exfiltrates stolen data through Telegram bots, highlighting the continued evolution of information-stealing malware leveraging popular platforms for data exfiltration.