Noodlophile Stealer
Cybercriminals are capitalizing on the growing demand for AI-powered tools by creating convincing, fake platforms to lure users into downloading a dangerous information-stealing malware named Noodlophile. Unlike traditional phishing scams or cracked software distribution sites, these actors craft legitimate-looking AI-themed websites and promote them through viral social media campaigns and Facebook groups.
Table of Contents
Social Engineering via Social Media
These fake campaigns are cleverly distributed on social platforms, with some posts attracting over 62,000 views each. The pages impersonate real AI content creation services and are aimed at users seeking tools for video and image editing. Notable fake profiles include 'Luma Dreammachine Al,' 'Luma Dreammachine,' and 'gratistuslibros.'
Too Good to Be True: The AI Trap
Once users engage with the posts, they are directed to download what they believe are AI-enhanced services for creating videos, images, logos, or websites. One fraudulent site even mimics CapCut AI, claiming to offer an all-in-one video editor with advanced AI features.
The Infection Chain Begins
After uploading their media prompts, users are prompted to download their AI-generated output. However, instead of receiving content, they unknowingly download a malicious ZIP archive titled VideoDreamAI.zip. Inside is a disguised executable: Video Dream MachineAI.mp4.exe. Running this file triggers a chain reaction, starting with the launch of ByteDance's legitimate CapCut.exe.
This legitimate binary serves as a smokescreen to load a .NET-based component named CapCutLoader, which then fetches and executes a Python-based payload (srchost.exe) from a remote server.
The Payload: Noodlophile and Beyond
The final payload is Noodlophile Stealer, malware equipped to exfiltrate browser credentials, cryptocurrency wallet data, and other sensitive information. In some variants, the stealer is deployed alongside a remote access trojan (RAT) such as XWorm, enabling persistent control over the victim's device.
Malware Author with a Public Face
Attribution efforts have traced Noodlophile's development to an individual believed to be based in Vietnam. This developer, who self-identifies on GitHub as a 'passionate Malware Developer from Vietnam,' created their profile on March 16, 2025. Vietnam has emerged as a hotspot for cybercriminal activity, particularly involving stealer malware that targets platforms like Facebook.
AI as the New Malware Bait
Exploiting public fascination with artificial intelligence is not new. In 2023, Meta reported removing over 1,000 malicious URLs designed to impersonate OpenAI's ChatGPT. These links have been used to distribute at least 10 different malware families since March 2023, demonstrating that AI-themed scams continue to be a powerful tool in the cybercriminal arsenal.
