Listen to this Post
Cybercriminals are increasingly exploiting the public’s growing interest in artificial intelligence to spread malware through deceptive social media posts and scam websites. A recent campaign uncovered by Morphisec researchers reveals how attackers are promoting fake AI-powered video editing tools on platforms like Facebook to distribute a new and dangerous malware called Noodlophile Stealer. Disguised as free tools like “Dream Machine” or “CapCut AI”, these downloads lead unsuspecting users into infecting their systems with credential-stealing malware and remote access trojans.
Fake AI Tools Campaign Summary
Morphisec’s latest analysis exposes a highly targeted social engineering scheme that capitalizes on the AI boom. Here’s a detailed summary of the campaign:
Attackers create fake AI tool promotions on Facebook groups and scam websites, often presenting them as cutting-edge, free video or image editors.
Victims looking to experiment with viral tools such as “Dream Machine” are lured into downloading files such as VideoDreamAI.zip
.
Inside the ZIP file is a malicious executable named Video Dream MachineAI.mp4.exe
, misleadingly formatted to appear like a video file.
Once launched, this file runs a modified version of CapCut, a legitimate video editor, as a decoy.
Simultaneously, a .NET loader named CapCutLoader
is triggered to download and execute a secondary Python-based malware file called srchost.exe
.
This file installs Noodlophile Stealer, a sophisticated new stealer written in Python.
Noodlophile harvests browser-stored credentials, cryptocurrency wallet data, and system information.
In some cases, it also deploys XWorm, a remote access trojan, giving attackers persistent control over the infected machine.
The malware is signed with a certificate generated via Winauth, and uses deceptive naming conventions to bypass user suspicion and certain security tools.
Posts promoting these fake AI tools on Facebook were found to have racked up over 62,000 views each, significantly amplifying the campaign’s reach.
The malware is sold on dark web forums under a malware-as-a-service (MaaS) model, enabling other threat actors to use it in their own attacks.
The suspected developer of Noodlophile is reportedly Vietnamese and has been observed actively participating in promotional threads related to the malware.
This campaign highlights the convergence of social engineering, malware-as-a-service, and the manipulation of trending tech topics to fuel wide-scale cyberattacks.
What Undercode Say:
The evolution of this threat showcases a troubling trend in the malware economy: combining hype-driven social engineering with low-friction distribution channels like Facebook. The success of this campaign lies in its simplicity. People are excited about free AI tools, and the attackers are exploiting this enthusiasm with deceptive, well-marketed bait.
From a technical standpoint, the attackers are using several clever tactics:
- File deception: Naming
.exe
files with.mp4
extensions to fool non-technical users. - Legitimate software bundling: Leveraging genuine CapCut binaries as a smokescreen to lower suspicion.
- Chained execution: Utilizing loaders and secondary malware stages to avoid early detection.
- Code signing abuse: Using certificates generated via Winauth to slip past trust-based filters.
- Python-based payloads: Emphasizing portability and stealth by using Python for final payloads.
Noodlophile itself, although new, fits the mold of modern stealers: highly modular, readily integrated with MaaS ecosystems, and targeted at harvesting high-value assets like crypto wallets and stored credentials. Its distribution with potential RAT functionality (via XWorm) hints at its dual-use purpose: initial theft followed by prolonged surveillance or ransomware deployment.
The involvement of Facebook and the viral nature of these scam posts suggest that attackers are now putting marketing-level effort into malware campaigns. They understand click psychology, use SEO-laden language in their posts, and even impersonate AI developers or tool reviewers.
The strategy also avoids traditional phishing email campaigns, which many users are now trained to detect. Instead, attackers are meeting users where they’re most curious and least suspicious: in communities excited about AI tools.
This pattern should be alarming for both users and platform operators. Social media is quickly becoming one of the primary distribution platforms for malware, especially among less technical audiences.
For cybersecurity professionals,
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2