Fake AI Tools Spread Noodlophile Malware, Targeting Crypto Wallets and Sensitive Data

Fake AI Tools Used to Spread Noodlophile Malware, Targeting 62,000+ via Facebook Lures

Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile. "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms - often advertised via legitimate-looking Facebook groups and viral social media campaigns," Morphisec researcher Shmuel Uzan said in a report published last week. Posts shared on these pages have been found to attract over 62,000 views on a single post, indicating that users looking for AI tools for video and image editing are the target of this campaign. Some of the fake social media pages identified include Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros. Users who land on the social media posts are urged to click on links that advertise AI-powered content creation services, including videos, logos, images, and even websites. One of the bogus websites masquerades as CapCut AI, offering users an "all-in-one video editor with new AI features." Once unsuspecting users upload their image or video prompts on these sites, they are then asked to download the supposed AI-generated content, at which point a malicious ZIP archive ("VideoDreamAI.zip") is downloaded instead. Present within the file is a deceptive file named "Video Dream MachineAI.mp4.exe" that kick-starts the infection chain by launching a legitimate binary associated with ByteDance's video editor ("CapCut.exe"). This C++-based executable is used to run a .NET-based loader named CapCutLoader that, in turn, ultimately loads a Python payload ("srchost.exe") from a remote server. The Python binary paves the way for the deployment of Noodlophile Stealer, which comes with capabilities to harvest browser credentials, cryptocurrency wallet information, and other sensitive data. Select instances have also bundled the stealer with a remote access trojan like XWorm for entrenched access to the infected hosts. The developer of Noodlophile is assessed to be of Vietnamese origin, who, on their GitHub profile, claims to be a "passionate Malware Developer from Vietnam." The account was created on March 16, 2025. It's worth pointing out that the Southeast Asian nation is home to a thriving cybercrime ecosystem that has a history of distributing various stealer malware families targeting Facebook. Bad actors weaponizing public interest in AI technologies to their advantage is not a new phenomenon. In 2023, Meta said it took down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023. The disclosure comes as CYFIRMA detailed another new .NET-based stealer malware family codenamed PupkinStealer that can steal a wide range of data from compromised Windows systems and exfiltrate it to an attacker-controlled Telegram bot. "With no specific anti-analysis defenses or persistence mechanisms, PupkinStealer depends on straightforward execution and low-profile behavior to avoid detection during its operation," the cybersecurity company said. "PupkinStealer exemplifies a simple yet effective form of data-stealing malware that leverages common system behaviors and widely used platforms to exfiltrate sensitive information."

Fake AI Tools Used to Spread Noodlophile Crypto Wallet Stealing Malware - Decrypt

Noodlophile stealer, which researchers suspect originated in Vietnam, can include additional remote access trojans. People are being tricked into downloading fake AI tools as a way to spread the information stealer malware Noodlophile. This malware is able to harvest browser credentials, cryptocurrency wallet information and more sensitive data, according to a security researcher. Morphisec researcher Shmuel Uzan said, in a report, "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms - often advertised via legitimate-looking Facebook groups and viral social media campaigns." The attackers build convincing AI themed platforms which can then be advertised on Facebook groups or social media campaigns. While these may look legitimate, they are simply fronts to get people to download the malware hidden in what appears to be AI tools. These sorts of posts, shared on Facebook, have reached views as high as 62,000, from a single post alone. Some of the fake social media pages identified are: Luma Dreammachine AI, Luma Dreammaching and gratistuslibros. Once a user clicks on a post they are taken to apparently free AI editing tools and urged to upload their image or video. They are then asked to download what looks like the AI tool, but is actually a malicious ZIP archive called VideoDreamAI.zip. This leads to a Python binary paving the way to deploy the Noodlophile Stealer. Some instances have also seen the data stealer bundled with remote access trojans like XWorm, for more control over the host's machine and data. The Noodlophile malware is assessed to be of Vietnamese origin, according to a GitHub profile that claims to be that of "a passionate Malware Developer from Vietnam." Authorities have said that cybercrime is especially prevalent in Southeast Asia and there is a history of distributing stealer software using the Facebook platform specifically.

This AI Video Generator Is Spreading Malware

Noodlophile steals account credentials and crypto wallet files. Cyber attackers are capitalizing on user demand for AI-generated content by spreading malware targeted at creators and small businesses in the form of fake AI content services. As Bleeping Computer reports, a new infostealer known as Noodlophile exfiltrates web browser data, including account credentials, session cookies, tokens, and cryptocurrency wallet files. The malware may also be deployed with XWorm, which gives attackers remote access to your device in order to steal sensitive information and install ransomware. According to a threat analysis by security firm Morphisec, Noodlophile hides in fake AI video generators -- notably, those named "Dream Machine." These tools are advertised on Facebook, leading users to fraudulent websites to upload images or video to create AI-generated content. Users are then prompted to download a completed video as a ZIP archive named VideoDreamAI.zip, which contains an executable file (Video Dream MachineAI.mp4.exe) as well as hidden folders with components to infect the target's device with malware. The scheme uses legitimate editing tools you might find in a video editor like CapCut, as well as files disguised as PDFs and Word docs to avoid detection by both users and malware scanners. Once deployed, Noodlophile communicates stolen information back to hackers in real time using a Telegram bot. Always use caution when downloading and executing files from the internet, especially when using websites you don't know and trust. Noodlophile hides behind a seemingly benign file name verified with a certificate created via WinAuth, so it may not seem suspicious on the surface. But if you look at the file extension -- which you should always verify -- you'll see that it's actually a .exe, not a .mp4 video. Make sure file extensions are set to show on your device, as having these hidden allows hackers to spread malware undetected. You can also use a malware scanner to check downloads before opening them.

Using the Wrong AI Video Generator Could Infect Your PC With Malware

These Are the 6 Ways Scammers Use TikTok to Infect Your Devices With Malware There are plenty of free AI image and video generators out there, but some can be outright dangerous to use. If you end up using the wrong AI video generator, you'll get a side of malware served with it. AI Video Generators Are Distributing Malware A new info-stealing malware called Noodlophile is hiding in fake AI video generators. Security experts at Morphisec discovered the campaign, claiming that these fake websites use names like "Dream Machine" and advertise their services on Facebook groups to attract more users. The sites will ask you to upload a sample image that their AI will convert into a video and offer the result as a ZIP archive for download. Since Windows does not show file extensions in Windows File Explorer by default, the file will appear as an MP4 video file to most people at first glance. In reality, it's an executable file with a repurposed version of CapCut (version 445.0). The executable is also signed using a security certificate to evade suspicion. If you double-click the fake MP4 to see the AI-generated video you just downloaded, it'll open CapCut and run a batch script in the background. The batch script uses the legitimate Windows tool certutil.exe to extract a password-protected RAR archive impersonating a PDF file. It also adds a new registry key to Windows for persistent access to your system. Finally, another process is executed, which runs a hidden Python script that loads the actual infostealer. The script also checks whether Avast antivirus is installed on the device. If yes, the infostealer is injected into the RegAsm.exe process; otherwise, it's loaded into your system's memory. Once executed, Noodlophile can steal your browser data from major browsers, including Chrome, Edge, Brave, Opera, and other Chromium-based browsers you might have installed on your PC. If you've got any crypto wallet extensions installed, they get raided too. Researchers found that in some cases, the Noodlophile infostealer was bundled with XWorm, a remote access trojan (RAT) that gives the hacker admin privileges on your system. They can then control your system or upload other malware freely. All the stolen data is sent back to a Telegram bot that also doubles up as a command-and-control (C2) server for the infostealer. This also gives the hackers real-time access to the stolen data. Be Careful of Free AI Tools The best way of protecting yourself from such malware is to simply avoid using shady AI tools or any website that you don't trust. We've got a list of the best AI video generators to get you started. I would recommend you enable file extensions in Windows 11 to be able to see what kind of file you're running. Hackers often add double extensions to files and rely on the user not being able to see the actual file extension, simply because this Windows setting is disabled by default. Keep your OS and antivirus updated, don't run files you randomly found on the internet without checking them, stick to legitimate and trusted web tools, and you'll be good to go.