Cybercriminals are leveraging fake AI-powered video generation tools to spread a new information stealing malware family dubbed Noodlophile. Masquerading as an MP4 video file, the malware initiates a multi-stage infection chain designed to harvest browser credentials, session cookies and cryptocurrency wallet data. Exfiltration is carried out via a Telegram bot and in some instances, the malware is bundled with remote access tools such as XWorm. This campaign underscores the rising trend of using AI-themed lures to deliver advanced malware threats.
Technical Description
Scammers are deploying fake AI tools and deceptive Facebook ads to distribute the Noodlophile Stealer malware, executing a multi-stage attack aimed at stealing user credentials. These malicious platforms often branded with names like “Dream Machine”—pose as sophisticated AI applications capable of generating videos from user-uploaded files. Promoted through eye catching Facebook advertisements, they are carefully crafted to entice users into interacting with what appears to be legitimate, state-of-the-art AI technology.
What Makes This Campaign Noteworthy:
What sets this campaign apart is its use of AI as a social engineering lure leveraging a legitimate, rapidly growing trend to deliver malware. Unlike traditional campaigns that rely on disguises like pirated software or game cheats, this operation targets a newer, more trusting demographic: content creators and small businesses experimenting with AI tools for productivity.
Additionally, Noodlophile Stealer appears to be a previously unreported threat in the malware landscape. It blends credential theft, crypto wallet exfiltration, and optional deployment of remote access tools, marking a novel and evolving threat in the cybercriminal arsenal.
Introduction of Noodlophile in the Malware-as-a-Service Ecosystem:
The Noodlophile malware marks a significant addition to the expanding Malware-as-a-Service (MaaS) landscape. Actively traded on dark web forums, it is often bundled with offerings labeled “Get Cookie + Pass,” indicating its primary function harvesting sensitive user data such as browser credentials and authentication tokens. Threat intelligence suggests that the campaign is operated by Vietnamese-speaking actors, reflecting the increasingly global nature of cybercrime operations.
Social Engineering via Fake AI Video Tools:
The infection chain is triggered when a user interacts with one of the fraudulent AI-powered video generation platforms. These websites prompt users to upload a file in exchange for AI-generated media. Instead of receiving a legitimate video, victims are delivered a ZIP archive containing a malicious file, misleadingly named something like Video_DreamMachineAI.mp4.exe. This filename is crafted to appear as a harmless video file particularly on Windows systems where file extensions are hidden by default, a vulnerability often exploited by attackers.
Stealthy Multi-Stage Infection Process
The embedded executable is a trojanized version of CapCut, a legitimate video editing tool, digitally signed with a certificate created using Winauth to bypass security defenses. When launched, it executes a multi-layered infection chain:
- A disguised batch script (Document.docx/install.bat) leverages the built-in Windows utility certutil.exe to decode a password-protected RAR archive masquerading as a PDF.
- The malware modifies the system registry to establish persistence across reboots.
- A final Python-based payload is downloaded from a hardcoded server and executed in memory under the name srchost.exe.
Noodlophile adjusts its behavior based on the endpoint’s security environment. If Avast antivirus is detected, it uses process hollowing to inject code into RegAsm.exe; otherwise, it defaults to classic shellcode injection for memory-resident execution
Conclusion:
The Noodlophile campaign highlights the growing abuse of AI trends in cybercrime. By disguising malware as legitimate AI tools, attackers are successfully targeting unsuspecting users. Its advanced evasion techniques and data theft capabilities pose serious risks. Vigilance and proactive security practices are essential to mitigate such evolving threats.
Impact
Once fully deployed, Noodlophile begins harvesting:
- Browser-stored credentials
- Session cookies and authentication tokens
- Cryptocurrency wallet files
All exfiltrated data is sent via a Telegram bot, which functions as the malware’s command-and-control (C2) channel, enabling real-time attacker access.
In some cases, the malware is deployed alongside XWorm, a Remote Access Trojan (RAT), significantly increasing the attacker’s capabilities by enabling remote control, surveillance and active system manipulation in addition to passive data theft.
IOC and Context Details
| Topics |
Details |
| Tactic Name |
Persistence, Execution, Defense Evasion, Credential Access,
Initial Access, Command and Control
|
| Technique Name |
Persistence: Boot or Logon Autostart Execution
Execution: Command and Scripting Interpreter
Defense Evasion: Hijack Execution Flow, Obfuscated Files or Information, Masquerading
Credential Access: Credentials from Password Stores, Steal Web Session Cookie
Initial Access: Phishing, Drive-by Compromise
Command and Control: Remote Access Tools
|
| Sub Technique Name |
Persistence – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Execution – Command and Scripting Interpreter: Python
Defense Evasion – Hijack Execution Flow: DLL
Defense Evasion – Obfuscated Files or Information: Command Obfuscation
Defense Evasion – Masquerading: Match Legitimate Resource Name or Location
Credential Access – Credentials from Password Stores: Credentials from Web Browsers
Initial Access – Phishing: Spearphishing Attachment
Command and Control – Remote Access Tools: Remote Desktop Software
|
| Attack Type |
Malware |
| Targeted Applications |
Windows |
| Region Impacted |
Global |
| Industry Impacted |
Others |
| IOC’s |
Hashes
SHA-256:
97927fdaaa8c55ac7c85ae6087a1ea637bb0e43148b3759740eaa75b64c459b2
8b0ee435928189c98969825e729a014e94b90e1da3af3cfeee1d02374c2bd906
32174d8ab67ab0d9a8f82b58ccd13ff7bc44795cca146e61278c60a362cd9e15
6c32460510925289421d1c7af986e00e9ada459f56a423d8b65d6cc57ed053c7
86076a09f524cc7015f23fb63515b3a30cee070fbc13fbb6f8e9cb1e5ced2ce
dc3e9daf25c44eb5d3ad12aa668c6219e8e7031152e1d7d51ee0b889c37ba443
f9a8b13c56d1074beed40de97920beef2e39086591e961c2c45e25fdd16b4786
934a68ac125cf995662bdd2d76a1d8dd3f107010ce77e21f003ebc581dc025d3
5c98553c45c9e86bf161c7b5060bd40ba5f4f11d5672ce36cd2f30e8c7016424
1a70a211df697c522c6821e526d31bd47697dbe3fa9ddac5d95f921df4313f59
353f17553a3457c6b77c4ca30505d9307dda9613e2a98ad3e392d2084284b739
11c873cee11fd1d183351c9cdf233cf9b29e28f5e71267c2cb1f373a564c6a73
ecf0f68e8cd4683f0bb0e11b575ee2c31ff559abcea8823c54d86fc4b36fd83f
e2c8eaf77dca9ed188f12261b9e9052ba0e58d1b9c45d922cbf0f3d00611ea56
86d6dd979f6c318b42e01849a4a498a6aaeaaaf3d9a97708f09e6d38ce875daa
c006c6dddb9bfcdbf2790eee4bc77dd09cd63ab5b8e64190a55b9e5b66325d55
fa0c8f439db570b4206f7c8be497cf91aaf28e41eaffdc70baef904b190387ef
67779bf7a2fa8838793b31a886125e157f4659cda9f2a491d9a7acb4defbfdf5
SHA-1:
01a7c01ef67fbf7a6bd111683fa6d26d9ff9f199
ee2bcce4960b2b0552830f5004a1b7d99dc461d7
5dd4ec2f26ac955d6e68b1dae5b577858dbbf15a
cb230c1e53f4ce0304fddbc9065b2a9149fdba40
558e1800e997151b1fe04dcd677ebc0e23867403
729fa86c4a112f3751a9a5b5dab84f867bbbbac8
9aa1e9e9b7a23da015ae44dbbddcd1d9fbdbb0c
e2ccd98b533ec26dd6f3c5c5c94047453afe91dd
90f119c4e8b0dd6550894e27e676d167ad69d2d6
0e44f3e66f0a3e46662847ed0eb4ad4ee6264ef7
MD5:
8d06568d123e56fec587ea967c614fbb
7e1ed90c0492da59c8fe87dac53c4182
5eb93fa6384f759d026eb2e5a789d16d
d906873be19b6d87461693da45f75291
0cd0c610a27f2f77e980405343b85b67
URLs:
hxxps://luma-dreammachine[.]com/File_Successful[.]zip
hxxp://160[.]25[.]232[.]62/bee/bee02_ads[.]txt
hxxps://85[.]209[.]87[.]207/sysdi/LDXC10[.]txt
hxxps://luma-aidreammachine[.]com/Creation_Luma[.]zip
hxxp://lumalabs-dream[.]com/VideoLumaAI[.]zip
hxxps://luma-dreammachine[.]com/LumaAI[.]zip
hxxps://85[.]209[.]87[.]207/sysdi/randomuser2025[.]txt
|
| CVE |
NA |
Recommended Actions
To mitigate the risk posed by emerging threats like Noodlophile, organizations should adopt a multi-layered security approach that integrates user education, system hardening, and continuous monitoring. The following measures are strongly recommended:
- Train Employees on Social Engineering Risks: Conduct regular awareness sessions to help staff identify fake AI tools, malicious ads and phishing sites—especially those circulating on platforms like Facebook.
- Enable File Extension Visibility: Configure endpoints to always display file extensions, helping users recognize potentially dangerous executables disguised as media files.
- Restrict Unauthorized Executables: Enforce application whitelisting and prevent execution of unknown programs from temporary or user-specific directories.
- Use Advanced Endpoint Protection: Deploy next-generation antivirus and behavioral detection tools to identify obfuscated threats and in-memory malware execution.
- Monitor for Unusual Network Traffic: Implement network-level monitoring to detect suspicious outbound traffic, including connections to Telegram bots or hardcoded C2 servers.
- Leverage Sandboxing for File Analysis: Use sandbox environments to safely analyze untrusted files before they reach end-user systems.
- Limit Use of System Utilities: Restrict or monitor access to tools like certutil.exe, which are commonly exploited for downloading or decoding malicious payloads.
- Maintain Strong Patch Hygiene: Regularly update operating systems and applications to close known vulnerabilities leveraged by malware loaders.
References
https://www.bleepingcomputer.com/news/security/fake-ai-video-generators-drop-new-noodlophile-infostealer-malware/
