Fake AI Tools Used to Distribute Noodlophile Malware

Cybercriminals are exploiting the growing interest in artificial intelligence by promoting fake AI-powered tools to spread a data-stealing malware dubbed Noodlophile, according to a recent report by Morphisec researcher Shmuel Uzan.

Unlike traditional phishing or cracked software scams, threat actors have created realistic-looking AI-themed websites and platforms, often promoted through seemingly legitimate Facebook groups and viral social media campaigns. These fake posts, which sometimes attract over 62,000 views each, target users seeking AI tools for video and image editing.

Among the fraudulent pages discovered are “Luma Dreammachine Al,” “Luma Dreammachine,” and “gratistuslibros.” These pages direct users to websites offering AI-powered content creation services—ranging from video and image generation to website building. One fake site even impersonates the CapCut AI video editor, promoting it as an all-in-one tool with advanced AI features.

When users interact with these sites and upload media for “AI processing,” they are prompted to download a ZIP archive called VideoDreamAI.zip. Inside this archive is a deceptive file named Video Dream MachineAI.mp4.exe, which initiates the malware installation process.

The attack begins by launching a legitimate CapCut executable (CapCut.exe), which is then used to load a .NET-based tool called CapCutLoader. This loader fetches and runs a Python-based payload (srchost.exe) from a remote server. That payload installs the Noodlophile Stealer, which can extract browser credentials, cryptocurrency wallet data, and other sensitive information. Sometimes, the malware is bundled with a remote access trojan like XWorm, allowing attackers persistent control over infected machines.

The developer behind Noodlophile is believed to be based in Vietnam. On their GitHub profile, they claim to be a “passionate Malware Developer from Vietnam.” The account was created on March 16, 2025. Vietnam has previously been linked to developing and distributing various information-stealing malware targeting platforms like Facebook.

This trend of using AI as bait to lure victims is not new. In 2023, Meta reported taking down over 1,000 malicious links that exploited the popularity of tools like ChatGPT to distribute at least 10 malware families since March of that year.

In a related development, cybersecurity firm CYFIRMA also uncovered a new .NET-based stealer called PupkinStealer. This malware exfiltrates data from compromised Windows systems to a Telegram bot. It is notable for its lack of complex evasion techniques, instead relying on low-profile execution to avoid detection.