1 week ago
ARTICLE AD BOX
Scammers are utilizing clone AI devices and Facebook ads to dispersed Noodlophile Stealer malware, targeting users pinch a multi-stage onslaught to bargain credentials.
Cybersecurity researchers astatine Morphisec person identified a caller malware run utilizing clone and malicious artificial intelligence (AI) platforms to administer a caller accusation stealer dubbed Noodlophile Stealer.
This blase maneuver exploits nan surging fame of AI devices to instrumentality users into downloading malware that tin bargain browser credentials, and cryptocurrency wallets, and perchance deploy distant entree devices for illustration XWorm.
How Does it Work?
Morphisec’s threat analysis, shared pinch Hackread.com up of its publishing connected 8 May 2025, specifications really cybercriminals are creating convincing clone AI websites, often advertised done Facebook groups pinch world scope (some posts exceeding 62,000 views connected a azygous post).
These platforms lure users pinch promises of free AI video and image generation, prompting them to upload their ain images. Instead of nan expected AI-processed content, victims unknowingly download a malicious ZIP archive containing nan Noodlophile Stealer.
Source: MorphisecNovel Social Engineering Leverages AI Trend
This run stands retired owed to its exploitation of AI arsenic a societal engineering lure, targeting a perchance much trusting assemblage of creators and mini businesses exploring AI, chiefly wrong Facebook communities.
Morphisec study notes that Noodlophile Stealer is simply a recently documented malware combining credential theft, wallet exfiltration, and optional distant entree deployment. Notably, it exfiltrates stolen accusation done a Telegram bot.
Open-source intelligence (OSINT) investigations led Morphisec to place nan developer down Noodlophile, apt of Vietnamese origin, who was observed promoting this method successful Facebook posts and connected online cybercrime marketplaces. The developer’s floor plan besides reveals further engagement successful malware income and distribution, pinch links recovered successful Facebook groups starring straight to their profile.
Source: MorphisecMulti-Stage Attack Designed for Evasion
The onslaught concatenation involves a multi-stage infection process designed for stealth and persistence. Users interacting pinch nan clone AI tract download a ZIP record (VideoDreamAI.zip) containing a deceptive executable (Video Dream MachineAI.mp4.exe), which is simply a repurposed type 445.0 of nan morganatic video editing tool, CapCut, and is moreover signed utilizing a certificate created via Winauth.
This executable past drops further malicious components from a hidden files named 5.0.0.1886, including CapCut.exe (a wrapper for embedded .NET malware), AICore.dll (a bid execution helper), and disguised files for illustration Document.docx (a batch script) and Document.pdf (a password-protected archive).
The install.bat script, launched by CapCutLoader (within CapCut.exe, which first verifies net connectivity by pinging google.com up to 10 times), decodes nan archive (password: TONGDUCKIEMDEVELOPER2025), establishes persistence, and downloads and executes a Python payload (srchost.exe) containing nan Noodlophile Stealer and nan XWorm loader.
These last payloads run successful representation to evade detection, pinch nan XWorm loader employing techniques for illustration shellcode injection and PE hollowing (especially targeting RegAsm.exe if Avast is present).
The Noodlophile Stealer and its usage of clone AI platforms is conscionable different cybersecurity threat against unsuspected users. Therefore, 1 must stay cautious astatine each times, refrain from downloading devices straight from societal media posts aliases third-party platforms, and ever usage charismatic websites to download files.
Even aft downloading a record from a verified source, do not execute/install nan programme connected your instrumentality earlier scanning it connected websites for illustration VirusTotal aliases ANY.RUN.
English (US) · 
Indonesian (ID) · 