Menace actors have been noticed leveraging pretend synthetic intelligence (AI)-powered instruments as a lure to entice customers into downloading an info stealer malware dubbed Noodlophile.
“As a substitute of counting on conventional phishing or cracked software program websites, they construct convincing AI-themed platforms – typically marketed through legitimate-looking Fb teams and viral social media campaigns,” Morphisec researcher Shmuel Uzan said in a report printed final week.
Posts shared on these pages have been discovered to draw over 62,000 views on a single submit, indicating that customers in search of AI instruments for video and picture enhancing are the goal of this marketing campaign. Among the pretend social media pages recognized embody Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros.
Customers who land on the social media posts are urged to click on on hyperlinks that publicize AI-powered content material creation companies, together with movies, logos, photos, and even web sites. One of many bogus web sites masquerades as CapCut AI, providing customers an “all-in-one video editor with new AI options.”
As soon as unsuspecting customers add their picture or video prompts on these websites, they’re then requested to obtain the supposed AI-generated content material, at which level a malicious ZIP archive (“VideoDreamAI.zip”) is downloaded as an alternative.
Current throughout the file is a misleading file named “Video Dream MachineAI.mp4.exe” that kick-starts the an infection chain by launching a reputable binary related to ByteDance’s video editor (“CapCut.exe”). This C++-based executable is used to run a .NET-based loader named CapCutLoader that, in flip, finally hundreds a Python payload (“srchost.exe”) from a distant server.
The Python binary paves the best way for the deployment of Noodlophile Stealer, which comes with capabilities to reap browser credentials, cryptocurrency pockets info, and different delicate knowledge. Choose cases have additionally bundled the stealer with a distant entry trojan like XWorm for entrenched entry to the contaminated hosts.
The developer of Noodlophile is assessed to be of Vietnamese origin, who, on their GitHub profile, claims to be a “passionate Malware Developer from Vietnam.” The account was created on March 16, 2025. It is price mentioning that the Southeast Asian nation is house to a thriving cybercrime ecosystem that has a historical past of distributing numerous stealer malware households focusing on Fb.
Unhealthy actors weaponizing public curiosity in AI applied sciences to their benefit isn’t a brand new phenomenon. In 2023, Meta stated it took down greater than 1,000 malicious URLs from being shared throughout its companies that had been discovered to leverage OpenAI’s ChatGPT as a lure to propagate about 10 malware households since March 2023.
The disclosure comes as CYFIRMA detailed one other new .NET-based stealer malware household codenamed PupkinStealer that may steal a variety of information from compromised Home windows methods and exfiltrate it to an attacker-controlled Telegram bot.
“With no particular anti-analysis defenses or persistence mechanisms, PupkinStealer will depend on easy execution and low-profile conduct to keep away from detection throughout its operation,” the cybersecurity firm said. “PupkinStealer exemplifies a easy but efficient type of data-stealing malware that leverages widespread system behaviors and broadly used platforms to exfiltrate delicate info.”
Source link