Sneaky Malware Poses as AI Video Wizard to Swipe Your Secrets

Fake AI-powered video generation tools are now being leveraged to distribute a newly discovered malware family named Noodlophile.

Masquerading as advanced AI platforms with names like “Dream Machine,” these malicious websites are promoted through high-traffic Facebook groups, enticing users to upload files with thepromise of generating AI-based videos.

However, instead of delivering a video,users receive a ZIP file containing an executable disguised as a video file(e.g., Video Dream MachineAI.mp4.exe). This misleading file, embedded with CapCut's legitimate components and signed with a Winauth-generated certificate, is designed to bypass suspicion and basic security checks.

According to research, this campaign introduces Noodlophile, an information stealer being sold on darkweb forums, often bundled with “Get Cookie + Pass” services. The malwareis linked to Vietnamese-speaking operators and is part of a growing malware-as-a-service (MaaS) model.

How It Works
Once the fake executable is launched, it initiates a multi-stage infection process. It triggers a batch script that leverages certutil.exeto decode a password-protected RAR archive posing as a PDF. The malware also establishes persistence by modifying the Windows Registry.From there, an obfuscated Python script is fetched and executed in memory,ultimately deploying the Noodlophile malware.

If Avast antivirus is detected, the malware uses process hollowing to inject its payload into RegAsm.exe; otherwise, it opts for shellcode injection to remain undetected.

What Noodlophile Steals

The stealer targets sensitive data stored in browsers, such as:

• Login credentials
• Session cookies
• Authentication tokens
• Cryptocurrency wallet files

The exfiltrated data is sent via a Telegram bot acting as the command-and-control (C2) channel, enabling attackers to access data in real time. In some variants, Noodlophile is bundled with XWorm, a remote access trojan (RAT), extending the attackers' capabilities to more invasive forms of data theft.

Recommendations

• Avoid downloading software from unknown or unofficial websites.
• Always display file extensions to avoid being misled by disguised executables.
• Keep antivirus software updated and scan all downloaded files before execution.
• Be cautious of overly-promoted AI tools or platforms, especially those shared via social media.