Cybersecurity researchers at Morphisec have uncovered a new wave of malicious campaigns exploiting the growing public interest in artificial intelligence (AI) to distribute a dangerous information-stealing malware known as Noodlophile.
Unlike traditional phishing schemes or malware hidden in pirated software, threat actors are now creating elaborate, AI-themed platforms that impersonate legitimate services. These fake websites are promoted through convincing Facebook groups and viral social media posts designed to attract users searching for AI tools for image and video editing.
According to Morphisec, some of these deceptive posts have garnered over 62,000 views, demonstrating the widespread reach of the campaign. Pages like Luma Dreammachine AI, Luma Dreammachine, and gratistuslibros have been identified as part of the operation.
Once users are lured to these sites and upload image or video prompts, they are prompted to download what they believe to be AI-generated content. Instead, they receive a malicious ZIP file named “VideoDreamAI.zip”. Inside is an executable file “Video Dream MachineAI.mp4.exe”, which masquerades as a video editor but actually initiates the malware infection.
This file first launches a legitimate video editing application ByteDance’s CapCut.exe as a decoy. Simultaneously, it executes a secondary loader dubbed CapCutLoader, a .NET-based tool that ultimately downloads and runs a Python-based payload (srchost.exe) from a remote server.
The final stage delivers Noodlophile Stealer, a potent malware capable of harvesting browser credentials, cryptocurrency wallets, and other sensitive information. In some cases, the malware is paired with XWorm, a remote access trojan (RAT), enabling persistent control over infected systems.
This type of deception isn’t new. In 2023, Meta reported removing over 1,000 malicious URLs from its platforms. Many of these links used OpenAI’s ChatGPT as bait to spread malware linked to at least 10 different families.
The discovery of the Noodlophile campaign comes alongside a separate report from cybersecurity firm CYFIRMA, which detailed a new .NET-based stealer called PupkinStealer. This malware can siphon extensive data from infected Windows machines and transmit it to attackers via Telegram bots.
Cybersecurity experts urge users to remain cautious when downloading AI tools from unofficial sources and to verify the authenticity of platforms advertised on social media.
Source: hxxps[://]www[.]morphisec[.]com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/
Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
