As artificial intelligence (AI) tools gain mainstream traction for content creation, cybercriminals are capitalizing on the hype with a sophisticated new attack vector, fake AI platforms promising advanced video and image editing capabilities. <\/p>\n
These fraudulent sites, amplified through viral social media campaigns and Facebook groups with tens of thousands of views, lure users into uploading personal media, only to deliver a previously undocumented malware dubbed Noodlophile Stealer<\/em>. <\/p>\n This malicious payload steals browser credentials, cryptocurrency wallets, and sensitive data, often deploying a remote access trojan (RAT) like XWorm<\/em> for deeper system control.<\/p>\n According to the Morphisec team report<\/a> exclusively shared with Cyber Security News, The campaign stands out for its exploitation of public enthusiasm for AI-powered tools, targeting creators and small businesses exploring productivity-enhancing technologies. <\/p>\n Unlike traditional phishing or pirated software scams, these attackers craft convincing websites mimicking legitimate AI services, such as video generation platforms. <\/p>\n Social media posts, particularly on Facebook, drive traffic to these sites, with one post alone garnering over 62,000 views.<\/p>\n Users are enticed to upload images or videos, expecting AI-generated content in return. Instead, they are prompted to download a malicious file disguised as their \u201cprocessed\u201d output.<\/p>\n The downloaded file, often a ZIP archive named VideoDreamAI.zip<\/em>, contains an executable misleadingly titled Video Dream MachineAI.mp4.exe<\/em>. <\/p>\n This file masquerades as a video but is a 32-bit C++ application, repurposing a legitimate video editing tool (CapCut, version 445.0) and signed with a fraudulent certificate to evade detection. Upon execution, it initiates a multi-stage infection chain, deploying Noodlophile Stealer<\/em> and, in some cases, XWorm<\/a><\/em>.<\/p>\n Noodlophile Stealer<\/em> is a previously undocumented infostealer, combining browser credential theft, cryptocurrency wallet exfiltration, and optional RAT deployment.<\/p>\n Its modular design and obfuscated delivery make it a formidable addition to the malware ecosystem. The malware communicates stolen data via a Telegram bot, enabling covert exfiltration. <\/p>\n Open-source intelligence (OSINT<\/a>) investigations revealed Noodlophile<\/em> being offered in cybercrime marketplaces as part of malware-as-a-service (MaaS) schemes, alongside tools for account takeover and credential theft. <\/p>\n The developer, likely Vietnamese based on language indicators and social media profiles, actively promotes the malware in related Facebook groups.<\/p>\n The infection begins when users interact with a fake AI site, upload media, and download the malicious ZIP. Inside, a hidden folder (5.0.0.1886<\/em>) contains key components:<\/p>\n The infection proceeds as follows:<\/strong><\/p>\n The final payload includes a Noodlophile<\/em> variant for credential theft and a Python-based XWorm<\/em><\/a> loader with two propagation methods: in-memory shellcode injection or PE hollowing into RegAsm.exe<\/em> to evade detection.<\/p>\n The campaign employs advanced obfuscation, including base85 decoding, zlib decompression, and Python\u2019s marshal<\/em> module to execute payloads in-memory, avoiding disk-based detection. <\/p>\n A Python script (randomuser2025.txt<\/em>) contains 10,000 redundant operations to break automated analysis tools. The use of legitimate tools like certutil.exe<\/em> and RegAsm.exe<\/em> further complicates detection.<\/p>\n This campaign highlights the growing sophistication of cybercriminals in exploiting emerging technologies. By weaponizing trust in AI, attackers target a broader, less skeptical audience. <\/p>\n The introduction of Noodlophile Stealer<\/em> underscores the evolving malware landscape, with MaaS models enabling rapid proliferation. <\/p>\n Users are urged to verify the legitimacy of AI platforms, avoid downloading files from untrusted sources, and employ robust security solutions to detect multi-stage threats.<\/p>\n The post Beware! Fake AI Video Generation Platforms Drop Stealer Malware on Your Computers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Lure: Fake AI Platforms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/www.morphisec.com\/wp-content\/uploads\/2025\/05\/image-1.png?ssl=1\")
<\/figure>\n![\"\"](\"https:\/\/i0.wp.com\/www.morphisec.com\/wp-content\/uploads\/2025\/05\/image-3.png?ssl=1\")
<\/figure>\n![\"\"](\"https:\/\/i0.wp.com\/www.morphisec.com\/wp-content\/uploads\/2025\/05\/image-6.png?ssl=1\")
Noodlophile Stealer<\/strong><\/h2>\n
The Attack Chain<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/www.morphisec.com\/wp-content\/uploads\/2025\/05\/VideoDream_AI_Diagram_5.png?ssl=1\")
\n
\n
Are you from the SOC and DFIR Teams? \u2013 Analyse Real time Malware Incidents with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/p>\n