Ddos 
A fake website | Image: Morphisec
Cybercriminals are now hijacking the hype surrounding AI to deliver sophisticated malware, as revealed in a new threat intelligence report from Morphisec. In a campaign that blends social engineering with layered technical obfuscation, attackers lure unsuspecting users with promises of AI-generated video content—only to infect them with the previously undocumented Noodlophile Stealer and optionally XWorm remote access trojans.
“Behind the promise of instant AI-generated videos lies something much darker: malware disguised as AI output,” the report states.
The infection begins on fraudulent websites posing as AI-powered content tools, often promoted via fake Facebook groups and viral social posts. These pages attract users with over 62,000 views on a single post, offering free image-to-video generation powered by “AI.”
“Instead of relying on traditional phishing or cracked software sites, [attackers] build convincing AI-themed platforms—often advertised via legitimate-looking Facebook groups,” the report warns.
Once on the site, victims are encouraged to upload media files. In return, they are instructed to download what they believe is their “AI-generated” video. Instead, they receive a ZIP archive containing the payload: Video Dream MachineAI.mp4.exe—a disguised executable crafted to evade detection.
“The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application… deceptively named to masquerade as a harmless video file,” notes the report.
Noodlophile Stealer is a new information-stealing malware that harvests:
Browser credentials and cookies
- Cryptocurrency wallets
- Session tokens
- Potentially sensitive local files
It communicates with attackers via a Telegram bot, enhancing stealth and exfiltration capabilities. According to Morphisec: “At the final stage of the attack, it was discovered that the Noodlophile Stealer communicates with the attackers through a Telegram bot.”
In more advanced variants, Noodlophile is bundled with XWorm, a modular RAT capable of:
- Local shellcode injection
- PE hollowing into RegAsm.exe for stealth execution
- Lateral movement and propagation
The malicious archive uses a multi-stage delivery architecture:
- CapCut.exe – A 140MB C++ wrapper embedding malicious .NET assemblies
- AICore.dll – A command helper DLL with a single active export used to trigger batch files
- Document.docx – A disguised .bat file with FF FE encoding to foil static analysis
- Document.pdf – A Base64-encoded RAR archive masquerading as a PDF
- meta (renamed to images.exe) – A WinRAR utility for silent extraction
- Randomuser2025.txt – An obfuscated Python script loader using exec() with in-memory decoding
The attack culminates with the launch of srchost.exe, a Python-based payload loader that injects the Noodlophile and optionally the XWorm malware into memory.
Investigations suggest the malware may originate from a Vietnamese developer active on cybercrime marketplaces. Morphisec uncovered Telegram-linked activity promoting malware-as-a-service offerings under the Noodlophile name, often bundled with account takeover tools labeled “Get Cookie + Pass.”
Related Posts:
- XWorm Unveils Stealthier Techniques in Latest Malware Evolution
- Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
- UAC-0184’s XWorm RAT Campaign Targets Ukraine with Python and DLL Sideloading
- Malicious npm Packages Backdoor Telegram Bot Developers
- Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
Donate