Scammers are deploying fake AI tools and deceptive Facebook ads to distribute the Noodlophile Stealer malware, executing a multi-stage attack aimed at stealing user credentials. These malicious platforms often branded with names like “Dream Machine”—pose as sophisticated AI applications capable of generating videos from user-uploaded files. Promoted through eye catching Facebook advertisements, they are carefully crafted to entice users into interacting with what appears to be legitimate, state-of-the-art AI technology.

What Makes This Campaign Noteworthy:

What sets this campaign apart is its use of AI as a social engineering lure leveraging a legitimate, rapidly growing trend to deliver malware. Unlike traditional campaigns that rely on disguises like pirated software or game cheats, this operation targets a newer, more trusting demographic: content creators and small businesses experimenting with AI tools for productivity.

Additionally, Noodlophile Stealer appears to be a previously unreported threat in the malware landscape. It blends credential theft, crypto wallet exfiltration, and optional deployment of remote access tools, marking a novel and evolving threat in the cybercriminal arsenal.

Introduction of Noodlophile in the Malware-as-a-Service Ecosystem:

The Noodlophile malware marks a significant addition to the expanding Malware-as-a-Service (MaaS) landscape. Actively traded on dark web forums, it is often bundled with offerings labeled “Get Cookie + Pass,” indicating its primary function harvesting sensitive user data such as browser credentials and authentication tokens. Threat intelligence suggests that the campaign is operated by Vietnamese-speaking actors, reflecting the increasingly global nature of cybercrime operations.

Social Engineering via Fake AI Video Tools:

The infection chain is triggered when a user interacts with one of the fraudulent AI-powered video generation platforms. These websites prompt users to upload a file in exchange for AI-generated media. Instead of receiving a legitimate video, victims are delivered a ZIP archive containing a malicious file, misleadingly named something like Video_DreamMachineAI.mp4.exe. This filename is crafted to appear as a harmless video file particularly on Windows systems where file extensions are hidden by default, a vulnerability often exploited by attackers.

Stealthy Multi-Stage Infection Process

The embedded executable is a trojanized version of CapCut, a legitimate video editing tool, digitally signed with a certificate created using Winauth to bypass security defenses. When launched, it executes a multi-layered infection chain:

• A disguised batch script (Document.docx/install.bat) leverages the built-in Windows utility certutil.exe to decode a password-protected RAR archive masquerading as a PDF.
• The malware modifies the system registry to establish persistence across reboots.
• A final Python-based payload is downloaded from a hardcoded server and executed in memory under the name srchost.exe.

Noodlophile adjusts its behavior based on the endpoint’s security environment. If Avast antivirus is detected, it uses process hollowing to inject code into RegAsm.exe; otherwise, it defaults to classic shellcode injection for memory-resident execution.

Conclusion:

The Noodlophile campaign highlights the growing abuse of AI trends in cybercrime. By disguising malware as legitimate AI tools, attackers are successfully targeting unsuspecting users. Its advanced evasion techniques and data theft capabilities pose serious risks. Vigilance and proactive security practices are essential to mitigate such evolving threats.