In a new and deeply concerning development at the intersection of artificial intelligence and cybercrime, attackers are disguising malicious malware campaigns under the guise of AI-powered video generation tools. Marketed as cutting-edge platforms with names like “Dream Machine,” these phony tools claim to generate personalized media content using uploaded files. But instead of receiving creative output, users are tricked into downloading a dangerous new information-stealing malware strain called Noodlophile.
The scheme, uncovered by cybersecurity firm Morphisec, involves a slick operation promoted through high-visibility Facebook groups. Victims are enticed to upload files to seemingly legitimate AI video sites. In return, they receive a ZIP file containing a hidden executable—disguised with a convincing filename (Video Dream MachineAI.mp4.exe) to appear like an MP4 file—especially dangerous for Windows users with file extensions hidden.
Also Read: Attention Startups! Showcase Your Smart Policing Solutions on India’s Biggest Stage
Morphisec notes that while AI has been weaponized before for malware delivery, Noodlophile is a new addition to the malware ecosystem, being sold as Malware-as-a-Service (MaaS) on dark web forums, particularly by Vietnamese-speaking operators.
A Stealthy Chain Reaction: From ZIP Archive to In-Memory Execution
Once the downloaded archive is extracted, it sets off a multi-stage infection chain that leverages both legitimate tools and deceptive techniques. The executable file inside the archive is not an actual media file but a repurposed version of CapCut (version 445.0)—a popular video editing tool—helping it evade antivirus detection.
The malicious executable deploys a batch script (install.bat) hidden within a folder, which then uses certutil.exe, a native Windows utility, to decode a base64-encoded password-protected RAR archive disguised as a document. Inside lies the main payload, Noodlophile Stealer, which is executed directly in memory to avoid leaving traces on disk.
To maintain persistence, the script adds a new Registry key, and depending on the antivirus environment, it uses process hollowing or shellcode injection to hide its tracks. Notably, if Avast antivirus is detected, the malware injects itself into RegAsm.exe, a legitimate .NET utility—an advanced technique known as PE hollowing.
Data on Demand: Telegram-Linked Exfiltration and Remote Access
Once deployed, Noodlophile begins targeting web browser data, including stored credentials, session cookies, authentication tokens, and even cryptocurrency wallet files. The stolen data is then exfiltrated via a Telegram bot, which functions as a command-and-control (C2) server offering the operators real-time updates and remote control capabilities.
But the damage doesn’t stop at credential theft. In some instances, Noodlophile is found bundled with XWorm, a powerful Remote Access Trojan (RAT) that allows for deeper exploitation of infected machines, including remote desktop access, keystroke logging, and file manipulation.
Researchers warn that this dual-threat model passive stealing through Noodlophile and active surveillance via XWorm significantly elevates the risk for victims. Moreover, its absence in public malware trackers prior to this discovery makes detection even harder.