In a concerning development, cybercriminals are leveraging the popularity of artificial intelligence (AI) tools to distribute a new malware called ‘Noodlophile Stealer’ through Facebook.
The Deceptive Tactic
According to researchers at Morphisec, threat actors create fake “AI-themed”ย video generation platforms, promoted through seemingly legitimate Facebook groups and viral social media campaigns.
These groups, boasting over 62,000 views on a single post,ย attract users to upload images or videos, promising AI-generated content in return, indicating the campaign’s extensive reach.
“Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms โ often advertised via legitimate-looking Facebook groups and viral social media campaigns,” Shmuel Uzan, Morphisec Threat Researcher, wrote in a research blog post published last week.
Understanding Noodlophile Stealer
Instead of receiving instant AI-generated videos, users unknowingly download malware, specifically, a newly discovered infostealer called Noodlophile Stealer, built to siphon browser credentials, crypto wallets, and other sensitive information.
In some instances, it also deploys a remote access trojan like XWorm, granting attackers deeper control over the infected system.
โNoodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment,โ Uzan added.
How The Campaign Works
The Noodlophile Stealer campaign begins when users are lured to fake AI video generation sites promoted on social media. After uploading their content, users receive a ZIP archive claiming to contain an AI-generated video. In reality, the archive holds a cleverly disguised executable (e.g., Video Dream MachineAI.mp4.exe) designed to resemble a harmless video file, particularly misleading for users who have file extensions hidden on their systems.
“The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth,” explains Morphisec.
“Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.”
Running the file triggers a multi-stage infection chain involving several executables and a batch script (Document.docx/install.bat). The malware uses the legitimate Windows tool ‘certutil.exe’ to decode a base64-encoded password-protected RAR archive posing as a PDF and adds a Registry key for persistence.
Next, it runs srchost.exe, which downloads and executes an obfuscated Python script (randomuser2025.txt) that launches the Noodlophile Stealer in memory. Depending on whether Avast is present, the malware uses either a PE hollowing function that targets RegAsm.exe or a local shellcode loader function for direct execution.
Once active, it steals browser-stored data, session cookies, credentials, tokens, and crypto wallet files, exfiltrating everything via a Telegram bot.
Communication And Distribution
The malware uses a Telegram bot to quietly send stolen data back to its operators. Investigations reveal that Noodlophile is being sold as part of malware-as-a-service (MaaS) packages on dark web forums, often alongside โGet Cookie + Passโ services, and is linked to Vietnamese-speaking threat actors.
Protective Measures
To safeguard against such threats, users are advised to avoid clicking on links from social media ads or messages, enable multi-factor authentication (MFA) to prevent unauthorized access to accounts, ensure that software downloads are done through official sources and trusted channels
Be cautious of unsolicited offers like limited-time deals or previews from unknown sources, and ensure that the software is regularly updated to patch security vulnerabilities that malware might exploit.
