Pierluigi Paganini May 12, 2025

Threat actors use fake AI tools to trick users into installing the information stealer Noodlophile, Morphisec researchers warn.

Morphisec researchers observed attackers exploiting AI hype to spread malware via fake AI tools promoted in viral posts and Facebook groups. Users seeking free AI video tools unknowingly download Noodlophile Stealer, a new malware that steals browser credentials, crypto wallets, and may install remote access trojans like XWorm.

The experts pointed out that Noodlophile Stealer is a previously undocumented malware. Noodlophile is being sold on cybercrime forums as part of malware-as-a-service schemes, often bundled with tools for credential theft. The developer, likely Vietnamese, has been seen actively engaging in related Facebook posts.

Fake AI tools spread via social media and scam websites like “Dream Machine” or “CapCut” bait users into uploading media.

Morphisec observed fake AI tool posts with over 62,000 views per post lure users seeking free video/image editors, but instead deliver malware disguised as AI-generated content.

Victims are tricked into downloading malware such as Noodlophile or XWorm, which steals credentials, crypto wallets, and can grant attackers remote access to infected systems.

Users are tricked into downloading a malicious ZIP (“VideoDreamAI.zip”) after uploading media. It contains a fake video file (“Video Dream MachineAI.mp4.exe”) that launches a legitimate CapCut binary.

“The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth. Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.” reads the report published by the researchers.

“The main objective of this binary is to locate and execute a secondary file, CapCut.exe, from a folder within its current directory. “

This triggers a .NET loader (“CapCutLoader”) which fetches and runs a Python-based malware (“srchost.exe”).

The Python binary deploys Noodlophile Stealer, which extracts browser credentials, crypto wallet data, and sometimes includes XWorm for remote system access.

The report includes Indicators of Compromise (IOCs) for this campaign

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, fake AI tools)