Listen to this Post
Introduction
In an era where artificial intelligence is reshaping digital content creation, malicious actors are exploiting this trend by disguising malware behind fake AI-powered tools. A new threat named Noodlophile has surfaced, targeting unsuspecting users through websites posing as video-generation platforms. Promising to turn uploaded files into AI-generated videos, these deceptive portals instead serve as a gateway for a dangerous, information-stealing malware that has recently emerged in the cybercrime underground. Cybersecurity researchers from Morphisec have uncovered this campaign, revealing a sophisticated infection chain and a disturbing level of social engineering.
This discovery highlights the evolving landscape of malware delivery, where cybercriminals manipulate trending technologies and user curiosity to steal sensitive data—particularly credentials, session cookies, and cryptocurrency wallet contents. The campaign appears to originate from Vietnamese-speaking groups and operates under a Malware-as-a-Service (MaaS) business model, making this threat scalable and widely distributable.
The Noodlophile Campaign Explained
Cybercriminals are using fake AI video generation tools, such as the falsely branded “Dream Machine,” to distribute a new infostealer malware dubbed Noodlophile.
These fraudulent platforms are promoted via popular Facebook groups, luring users with the promise of AI-generated video content.
Upon uploading a file, victims receive a ZIP file that allegedly contains their generated video but actually hides a malicious executable named Video Dream MachineAI.mp4.exe.
Due to hidden file extensions in Windows, the malicious .exe file can easily be mistaken for a safe .mp4 video.
The executable is a repackaged version of CapCut, a legitimate video editing tool, helping it evade detection by antivirus programs.
When executed, the malware launches multiple steps, including batch script execution and registry modifications to establish persistence.
It leverages Windows tools like certutil.exe to decode and install additional payloads from remote servers.
The final stage is the Noodlophile Stealer, which runs in memory and extracts sensitive browser data and cryptocurrency wallet files.
In systems protected by Avast, it uses PE hollowing for stealthy execution; otherwise, it applies shellcode injection techniques.
The stolen data is sent back via Telegram bots, serving as the command-and-control infrastructure.
In some cases, the malware is packaged with XWorm, enabling remote desktop access and enhancing its capabilities.
Morphisec’s discovery marks the first public report on Noodlophile, emphasizing the novelty and danger of this malware.
This campaign is a strong example of how cybercriminals are increasingly weaponizing AI branding and social engineering for malware distribution.
What Undercode Say:
The emergence of Noodlophile is a textbook example of modern cyber threats blending social engineering with the aesthetic of cutting-edge tech. The use of fake AI video-generation tools is particularly concerning, given the growing trust people place in AI-branded platforms. This isn’t just a case of malware hiding in attachments—it’s malware hiding behind expectation and curiosity.
By masquerading as a trendy AI service, attackers tap into the modern user’s fascination with generative tools. Most users won’t question a ZIP file received from what appears to be an AI engine. The use of a signed and familiar executable—like CapCut—demonstrates how attackers exploit not only the user but also trust in popular software.
The infection chain is cleverly designed to exploit default behaviors in Windows OS, such as hidden file extensions and permission for trusted certificates. These techniques are not new, but their fusion into a single, disguised AI service introduces a unique threat vector that is both creative and dangerous.
From a technical perspective, Noodlophile is notable for its modular structure. It begins as an infostealer but can extend its functions through bundled tools like XWorm. The use of Telegram as a C2 server isn’t just for anonymity—it provides real-time data access, making data exfiltration instant and adaptable.
The malware’s ability to remain fileless by executing in memory, combined with the evasion strategies like PE hollowing, places it among the more advanced threats seen in recent months. It is designed not just to steal but to linger, persist, and adapt.
There’s also the broader implication of Malware-as-a-Service (MaaS) models. By offering this tool in bundles like “Get Cookie + Pass,” criminal groups enable low-skill actors to deploy sophisticated campaigns, expanding the threat surface exponentially. The Vietnamese-speaking origin also hints at organized regional cybercrime operations pushing into global markets.
For the average user, the key takeaway is clear: do not trust services simply because they brand themselves as “AI-powered.” Verification must go beyond appearance. If a website offers video generation from user uploads, ensure it’s from a reputable developer or service provider. And always, always inspect file extensions before opening downloads.
The rise of fake AI tools in malware distribution could become the new norm if users don’t adapt their cybersecurity hygiene. This isn’t just a warning about one malware—it’s a red flag about where digital deception is headed.
Fact Checker Results:
Noodlophile is real and has been verified through cybersecurity researchers at Morphisec.
AI-themed social engineering is a current and growing trend among cybercriminals.
CapCut repackaging and Telegram exfiltration are confirmed components of the malware chain.
Prediction:
As generative AI tools continue to flood the internet and gain user trust, cybercriminals will increasingly use AI-branded decoys to lure victims. Malware campaigns will likely evolve toward even more convincing interfaces and platforms that mimic legitimate AI services. Expect to see a rise in “fake AI tool” scams across social media and file-sharing forums, with more MaaS platforms offering plug-and-play malicious payloads under the guise of generative tech. Cyber hygiene, including file extension awareness and real-time antivirus scanning, will be critical defenses in this next era of social engineering.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
