As synthetic intelligence (AI) instruments achieve mainstream traction for content material creation, cybercriminals are capitalizing on the hype with a complicated new assault vector, pretend AI platforms promising superior video and picture enhancing capabilities.
These fraudulent websites, amplified by means of viral social media campaigns and Fb teams with tens of hundreds of views, lure customers into importing private media, solely to ship a beforehand undocumented malware dubbed Noodlophile Stealer.
This malicious payload steals browser credentials, cryptocurrency wallets, and delicate information, typically deploying a distant entry trojan (RAT) like XWorm for deeper system management.
The Lure: Faux AI Platforms
In line with the Morphisec group report completely shared with Cyber Safety Information, The marketing campaign stands out for its exploitation of public enthusiasm for AI-powered instruments, concentrating on creators and small companies exploring productivity-enhancing applied sciences.
Not like conventional phishing or pirated software program scams, these attackers craft convincing web sites mimicking reputable AI providers, corresponding to video technology platforms.
Social media posts, significantly on Fb, drive visitors to those websites, with one publish alone garnering over 62,000 views.
Customers are enticed to add photographs or movies, anticipating AI-generated content material in return. As an alternative, they’re prompted to obtain a malicious file disguised as their “processed” output.
The downloaded file, typically a ZIP archive named VideoDreamAI.zip, comprises an executable misleadingly titled Video Dream MachineAI.mp4.exe.
This file masquerades as a video however is a 32-bit C++ utility, repurposing a reputable video enhancing instrument (CapCut, model 445.0) and signed with a fraudulent certificates to evade detection. Upon execution, it initiates a multi-stage an infection chain, deploying Noodlophile Stealer and, in some circumstances, XWorm.
Faux web site that posted as video enhancing web site.
Noodlophile Stealer
Noodlophile Stealer is a beforehand undocumented infostealer, combining browser credential theft, cryptocurrency pockets exfiltration, and elective RAT deployment.
Its modular design and obfuscated supply make it a formidable addition to the malware ecosystem. The malware communicates stolen information by way of a Telegram bot, enabling covert exfiltration.
Open-source intelligence (OSINT) investigations revealed Noodlophile being provided in cybercrime marketplaces as a part of malware-as-a-service (MaaS) schemes, alongside instruments for account takeover and credential theft.
The developer, doubtless Vietnamese primarily based on language indicators and social media profiles, actively promotes the malware in associated Fb teams.
The Assault Chain
The an infection begins when customers work together with a pretend AI website, add media, and obtain the malicious ZIP. Inside, a hidden folder (5.0.0.1886) comprises key elements:
Noodlophile Stealer Assault Chain
CapCut.exe: A 140MB C++ binary embedding a .NET runtime wrapper to load malicious .NET code in-memory, evading static scanners. It comprises 275 embedded PE recordsdata, principally .NET assemblies, for modular obfuscation.
AICore.dll: A helper DLL with a single lively export (cmdhelper) for executing exterior instructions.
Doc.pdf: A Base64-encoded, password-protected RAR archive disguised as a PDF, containing cPython elements.
Doc.docx: A batch file masquerading as a Phrase doc, encoded with FF FE markers to hinder evaluation. Renamed to put in.bat, it orchestrates the an infection.
meta: A Win-RAR utility, renamed to photographs.exe, for extracting the RAR archive.
The an infection proceeds as follows:
CapCut.exe launches, utilizing embedded .NET logic to invoke CapCutLoader.
CapCutLoader verifies connectivity by pinging google.com and renames disguised recordsdata (Doc.docx to put in.bat, meta to photographs.exe).
set up.bat decodes Doc.pdf right into a RAR archive utilizing certutil.exe, extracts it with a hardcoded password (TONGDUCKIEMDEVELOPER2025), and registers persistence by way of the Home windows Registry.
A Python payload (srchost.exe), downloaded from a distant server, deploys Noodlophile Stealer and XWorm.
The ultimate payload features a Noodlophile variant for credential theft and a Python-based XWorm loader with two propagation strategies: in-memory shellcode injection or PE hollowing into RegAsm.exe to evade detection.
The marketing campaign employs superior obfuscation, together with base85 decoding, zlib decompression, and Python’s marshal module to execute payloads in-memory, avoiding disk-based detection.
A Python script (randomuser2025.txt) comprises 10,000 redundant operations to interrupt automated evaluation instruments. Using reputable instruments like certutil.exe and RegAsm.exe additional complicates detection.
This marketing campaign highlights the rising sophistication of cybercriminals in exploiting rising applied sciences. By weaponizing belief in AI, attackers goal a broader, much less skeptical viewers.
The introduction of Noodlophile Stealer underscores the evolving malware panorama, with MaaS fashions enabling speedy proliferation.
Customers are urged to confirm the legitimacy of AI platforms, keep away from downloading recordsdata from untrusted sources, and make use of sturdy safety options to detect multi-stage threats.
Are you from the SOC and DFIR Groups? – Analyse Actual time Malware Incidents with ANY.RUN -> Begin Now for Free.
