By downloading what they believe is an AI-generated video, victims have installed malware that can steal their data or offer attackers remote access to infected devices.
Cybercriminals are luring users into downloading malware through fake AI generators. After a user uploads their own image as a prompt, the website provides a downloadable file containing an infostealer.
“This file installs malware — such as Noodlophile or Noodlophile bundled with XWorm — onto their systems, enabling attackers to steal data, harvest credentials, and potentially gain remote access to infected devices,” wrote Shmuel Uzan, a security researcher for Morphisec, in a report.
The new form of social engineering appears to start on Facebook, as attackers advertise links to “AI-themed platforms” in groups where members are searching for free AI tools. These groups have thousands of members, and posts in them can reach up to 62,000 views, according to Uzan.
The bogus websites where victims seek access to the promised AI services mimic legitimate software, misusing names and logos such as Luma Dream Machine. One even includes the CapCut logo, a popular video editing app owned by TikTok parent company ByteDance.
The websites encourage visitors to upload their own images or videos, claiming that AI will be used to edit the files or generate new content using them as a prompt. Once uploaded, the platform “processes” the reference file and then presents a Download Now button.
SEE: TechRepublic Premium’s Malware Quick Glossary
When the victim clicks the button, they download a ZIP file named VideoDreamAI.zip, which contains a series of components, including a .NET loader, C++-based executables, and batch scripts. One executable, Video Dream MachineAI.mp4.exe, launches the second, CapCut.exe, which subsequently runs the .NET loader.
The loader downloads a Python payload called srchost.exe from a remote server, which, when executed, deploys an infostealer that harvests the victim’s browser credentials, cookies, crypto wallets, tokens, and other data. This has been dubbed the Noodlophile Infostealer, and can send the stolen details to the attackers through a Telegram bot. In some cases, a remote access trojan like XWorm is also loaded.
In addition to images and videos, the fraudulent platforms uncovered by Uzan offer AI-generated websites and mockups, suggesting that the attacker’s targets are businesses. However, their use of Facebook groups for promotion indicates they are not pursuing large corporate clients, but rather small or medium-sized businesses looking for free tools to cut marketing costs.
“What makes this campaign unique is its exploitation of AI as a social engineering lure — turning an emerging legitimate trend into an infection vector,” Uzan wrote. “Unlike older malware campaigns disguised as pirated software or game cheats, this operation targets a newer, more trusting audience: creators and small businesses exploring AI for productivity.”
Searching for the term “Noodlophile” on cybercrime forums revealed that it was being advertised as part of a malware-as-a-service offering, Uzan found. He also discovered the malware’s developer on Facebook leaving comments on posts that promoted an account takeover technique associated with the Noodlophile infostealer.
Due to the language and other social media indicators, Uzan believes the developer is Vietnamese. The associated GitHub profile, which has had the name Noodlophile removed, says that they are a “passionate Malware Developer” who sells cyber security tools.
Fiona Jackson is a news writer who started her journalism career at SWNS press agency, later working at MailOnline, an advertising agency, and TechnologyAdvice. Her work spans human interest and consumer tech reporting, appearing in prominent media outlets such as TechHQ, The Independent, Daily Mail, and The Sun.
