Attackers are spreading an infostealer malware under the guise of AI-generated videos. The malware, named Noodlophile Stealer, tricks users into thinking theyโre using AI tools to generate photos and videos.
The campaign is spreading primarily on social media, especially in Facebook groups. Pages with names like โDream Machineโ are promoted in large, legitimate-looking communities. These fake AI video-generation platforms mimic the look and behavior of real AI tools, luring users with promises of free, instant video creation.
Dream Machine App
Credit: Morphisec
Some of the apps even imitate popular video editing tools like CapCut.
Fake Capcut Site
Credit: Morphisec
Users are asked to upload an image and wait through a fake loading screen. Once โprocessingโ is complete, theyโre prompted to download a ZIP archive, usually named something like VideoDreamAI.zip. Inside the archive is a file titled Video Dream MachineAI.mp4 .exe. The naming formatย is intentional as it uses excess spacing and misleading extensions to appear like a harmless video file. In reality, itโs an executable designed to launch the malware.
Opening the file sets off a multi-stage infection chain. The process begins with a file named CapCut.exe, which is designed to mimic the legitimate video editing app CapCut to appear trustworthy. However, this version is a large C++-based executable embedded with a .NET runtime wrapper; a technique that allows the malware to load and run .NET code.
By loading the .NET payload in memory instead of writing it to disk, the malware avoids detection by traditional antivirus tools that rely on scanning files stored on the system. This method is known as in-memory execution and is often used by advanced malware to stay stealthy.
The final payload includes the Noodlophile Stealer, which exfiltrates browser credentials, cookies, session tokens, and crypto wallet data. In some cases, it also installs a remote access trojan, Worm 5.2, which can spread laterally across the network, allowing attackers to move between systems and compromise additional machines. All stolen information is then sent to the attacker via a Telegram bot.
Noodlophile Attack Chain
Credit: Morphisec
According to Morphisec researcher Shmuel Uzan, Noodlophile is now being advertised in cybercrime forums as part of malware-as-a-service bundles. Morphisec shared several Indicators of Compromise (IoCs) and recommended the use of its Automated Moving Target Defense (AMTD) technology. AMTD is designed to stop threats like Noodlophile before execution, without relying on signatures or behavioral analysis.
This campaign is another example of how threat actors are taking advantage ofย the growing interest in AI to trick users into downloading malware. Users should always verify the legitimacy of AI tools, especially those promoted on social media, before uploading or downloading content.
About the author:
