In a concerning development, cybercriminals are leveraging counterfeit artificial intelligence (AI) tools to disseminate the Noodlophile information-stealing malware. These malicious actors craft convincing AI-themed platforms, often promoted through legitimate-looking Facebook groups and viral social media campaigns, to lure unsuspecting users into downloading harmful software.
The Deceptive Strategy
Unlike traditional phishing methods or cracked software sites, these attackers create sophisticated AI-themed websites that appear authentic. They advertise these platforms via Facebook groups and social media campaigns, attracting users interested in AI-powered content creation tools. Some of the fraudulent social media pages identified include Luma Dreammachine Al, Luma Dreammachine, and gratitustlibros.
One notable example is a bogus website masquerading as CapCut AI, claiming to offer an all-in-one video editor with new AI features. Users are enticed to upload their images or video prompts, after which they are prompted to download the supposed AI-generated content. However, instead of receiving the promised content, users download a malicious ZIP archive named VideoDreamAI.zip.
The Infection Chain
Within the downloaded ZIP file is a deceptive executable file titled Video Dream MachineAI.mp4.exe. When executed, this file initiates a complex infection chain:
1. Execution of Legitimate Binary: The malicious executable launches a legitimate binary associated with ByteDance’s video editor, CapCut.exe.
2. Loader Activation: This binary runs a .NET-based loader named CapCutLoader.
3. Payload Deployment: The loader fetches and executes a Python payload (srchost.exe) from a remote server.
4. Malware Installation: The Python binary facilitates the deployment of Noodlophile Stealer, a malware designed to harvest browser credentials, cryptocurrency wallet information, and other sensitive data.
In some instances, the stealer is bundled with a remote access trojan like XWorm, granting attackers prolonged access to the infected systems.
The Developer’s Profile
Investigations reveal that the developer of Noodlophile is likely of Vietnamese origin. Their GitHub profile, created on March 16, 2025, describes them as a passionate Malware Developer from Vietnam. This aligns with reports of a thriving cybercrime ecosystem in Southeast Asia, particularly in Vietnam, known for distributing various stealer malware families targeting Facebook users.
Broader Implications
The exploitation of public interest in AI technologies by malicious actors is not unprecedented. In 2023, Meta reported the removal of over 1,000 malicious URLs shared across its services. These URLs leveraged OpenAI’s ChatGPT as a lure to propagate approximately ten malware families since March 2023.
The emergence of Noodlophile Stealer underscores the evolving tactics of cybercriminals who continuously adapt to exploit current technological trends. By masquerading as cutting-edge AI tools, they effectively deceive users into compromising their systems.
Protective Measures
To safeguard against such threats, users are advised to:
– Verify Sources: Only download software from official and reputable sources.
– Be Cautious of Social Media Links: Exercise caution when clicking on links from social media platforms, even if they appear legitimate.
– Use Security Software: Employ robust antivirus and anti-malware solutions to detect and prevent infections.
– Stay Informed: Keep abreast of the latest cybersecurity threats and tactics employed by malicious actors.
By remaining vigilant and adopting these protective measures, users can significantly reduce the risk of falling victim to such deceptive schemes.
