174/68 Wednesday, May 14, 2025
Cybersecurity researchers at Morphisec have issued a warning about a new cyberattack campaign that exploits the popularity of AI tools to trick users into downloading a newly discovered malware called Noodlophile Stealer. This information stealer malware is being spread under the guise of fake AI applications like “Dream Machine” or “CapCut AI version,” which are promoted via Facebook groups and malicious websites. Victims are unaware that they are downloading malware, as the threat is disguised as popular AI video tools. Noodlophile Stealer is a previously undisclosed threat and is currently being sold on underground cybercrime forums as part of a malware-as-a-service (MaaS) model, equipped to steal login credentials, browser data, and cryptocurrency wallet information.
Morphisec attributes the development of Noodlophile to a Vietnamese threat actor who has advertised the tool in posts generating over 62,000 views.
The attack vector involves a ZIP file named “VideoDreamAI.zip”, which instructs users to “upload media.” When extracted, it contains a disguised executable named “Video Dream MachineAI.mp4.exe”—which appears to be a video file but is actually a signed 32-bit executable using a certificate from Winauth. Inside this file is a modified CapCut.exe (v445.0) acting as a dropper, responsible for executing CapCutLoader, a .NET binary. This loader then fetches and runs a Python-based malware component called “srchost.exe”, which installs the Noodlophile Stealer.
Once deployed, the stealer targets:
- Web browser data
- Cryptocurrency wallets
- In some cases, it also installs XWorm RAT, a Remote Access Trojan, allowing full remote control of the victim’s machine.
Morphisec’s full report includes a set of Indicators of Compromise (IOCs) to help defenders and security analysts detect and mitigate this ongoing campaign.
