Threat Actors Exploit Fake AI Tools to Deploy Noodlophile Information Stealer

TL;DR

Threat actors are leveraging the hype around AI to distribute the information-stealing malware Noodlophile via fake AI tools promoted on social media, a new report by Morphisec reveals. This malware targets browser credentials, crypto wallets, and can install remote access trojans.

Threat Actors Exploit AI Hype to Spread Malware

Morphisec researchers have uncovered a new campaign where threat actors are exploiting the hype around AI to distribute malware. By promoting fake AI tools through viral posts and Facebook groups, these actors trick users into installing the Noodlophile Stealer, a new malware designed to steal browser credentials, crypto wallets, and potentially install remote access trojans like XWorm¹.

Noodlophile Stealer: A New Threat

Noodlophile Stealer is a previously undocumented malware now being sold on cybercrime forums as part of malware-as-a-service schemes. Often bundled with tools for credential theft, this malware is believed to be developed by a Vietnamese actor actively engaged in related Facebook posts².

Distribution via Social Media and Scam Websites

Fake AI tools are distributed through social media and scam websites such as “Dream Machine” or “CapCut,” luring users with promises of free AI video tools. These fake tools bait users into uploading media, leading to the download of malware disguised as AI-generated content³.

Morphisec observed that posts promoting these fake AI tools can garner over 62,000 views, enticing users seeking free video/image editors but delivering malware instead. Victims are tricked into downloading malicious ZIP files containing executables disguised as video files, which launch legitimate CapCut binaries to avoid suspicion⁴.

Malware Deployment Process

1. Initial Infection: Users download a malicious ZIP file (“VideoDreamAI.zip”) containing a fake video file (“Video Dream MachineAI.mp4.exe”).
2. Execution: The fake video file is a 32-bit C++ application signed using a certificate created via Winauth, mimicking a legitimate CapCut video editing tool.
3. Secondary Payload: The initial binary locates and executes a secondary file, CapCut.exe, from its directory.
4. Loader Activation: A .NET loader (“CapCutLoader”) fetches and runs a Python-based malware (“srchost.exe”).
5. Payload Deployment: The Python binary deploys Noodlophile Stealer, extracting browser credentials, crypto wallet data, and sometimes includes XWorm for remote system access⁵.

Indicators of Compromise (IOCs)

The report includes Indicators of Compromise (IOCs) for this campaign, providing essential data for security professionals to identify and mitigate the threat⁶.

Follow for More Updates

Follow me on Twitter, Facebook, and Mastodon for the latest updates.

For more details, visit the full article: source

Conclusion

The exploitation of AI hype to distribute malware highlights the evolving tactics of cybercriminals. Users must remain vigilant and cautious when downloading tools from unverified sources, especially those promoted on social media. Staying informed about the latest threats and practicing good cyber hygiene is crucial in protecting against such attacks.

References

1. (2025). “Threat actors use fake AI tools to deliver the information stealer Noodlophile”. Security Affairs. Retrieved 2025-05-12. ↩︎

2. Ibid. ↩︎

3. Ibid. ↩︎

4. Ibid. ↩︎

5. Ibid. ↩︎

6. Ibid. ↩︎