Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile.
“Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns,” Morphisec researcher Shmuel Uzan said in a report published last week.
Posts shared on these pages have been found to attract over 62,000 views on a single post, indicating that users looking for AI tools for video and image editing are the target of this campaign. Some of the fake social media pages identified include Luma Dreammachine Al, Luma Dreammachine, and gratistuslibros.
Users who land on the social media posts are urged to click on links that advertise AI-powered content creation services, including videos, logos, images, and even websites. One of the bogus websites masquerades as CapCut AI, offering users an “all-in-one video editor with new AI features.”
Once unsuspecting users upload their image or video prompts on these sites, they are then asked to download the supposed AI-generated content, at which point a malicious ZIP archive (“VideoDreamAI.zip”) is downloaded instead.
Present within the file is a deceptive file named “Video Dream MachineAI.mp4.exe” that kick-starts the infection chain by launching a legitimate binary associated with ByteDance’s video editor (“CapCut.exe”). This C++-based executable is used to run a .NET-based loader named CapCutLoader that, in turn, ultimately loads a Python payload (“srchost.exe”) from a remote server.
The Python binary paves the way for the deployment of Noodlophile Stealer, which comes with capabilities to harvest browser credentials, cryptocurrency wallet information, and other sensitive data. Select instances have also bundled the stealer with a remote access trojan like XWorm for entrenched access to the infected hosts.
The developer of Noodlophile is assessed to be of Vietnamese origin, who, on their GitHub profile, claims to be a “passionate Malware Developer from Vietnam.” The account was created on March 16, 2025. It’s worth pointing out that the Southeast Asian nation is home to a thriving cybercrime ecosystem that has a history of distributing various stealer malware families targeting Facebook.
Bad actors weaponizing public interest in AI technologies to their advantage is not a new phenomenon. In 2023, Meta said it took down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI’s ChatGPT as a lure to propagate about 10 malware families since March 2023.
The disclosure comes as CYFIRMA detailed another new .NET-based stealer malware family codenamed PupkinStealer that can steal a wide range of data from compromised Windows systems and exfiltrate it to an attacker-controlled Telegram bot.
“With no specific anti-analysis defenses or persistence mechanisms, PupkinStealer depends on straightforward execution and low-profile behavior to avoid detection during its operation,” the cybersecurity company said. “PupkinStealer exemplifies a simple yet effective form of data-stealing malware that leverages common system behaviors and widely used platforms to exfiltrate sensitive information.”
