Noodlophile Stealer Detection: Novel Malware Distributed Through Fake AI Video Generation Tools
Table of contents:
The constantly changing cyber threat landscape is seeing the emergence of new malware variants driven by the widespread adoption of AI and its exploitation for offensive purposes. Defenders have recently observed adversaries weaponizing fake AI-powered tools to lure users into downloading a new information-stealing malware known as Noodlophile. The malware is often promoted through fake Facebook groups and viral posts, already targeting over 62,000+ users.
Detect Noodlophile Stealer
While the swift adoption of AI technologies is driving the development of next-gen cybersecurity solutions, it also introduces significant risks, as adversaries are adopting these tools as rapidly as defenders. Gartner forecasts that by 2027, more than 40% of AI-related data breaches will result from the improper cross-border use of generative AI (GenAI). The emergence of new malware dubbed Noodlophile Stealer, spread through fake AI generation tools, and designed to steal sensitive data from compromised systems, is drawing significant attention from cybersecurity defenders.
Register for SOC Prime Platform to stay ahead of emerging threats, like the newly discovered Noodlophile Stealer, which has already targeted thousands of Facebook users. Click the Explore Detections button to access a comprehensive collection of Sigma rules for Noodlophile Stealer detection.
All detection algorithms can be used across multiple SIEM, EDR, and Data Lake solutions, and are aligned with MITRE ATT&CK® for streamlined threat research. In addition, each vendor-agnostic Sigmac rule is enriched with actionable metadata, such as CTI links, attack timelines, audit configurations, and more cyber threat context.
Security engineers can also rely on Uncoder AI, powered by Llama 70B and enriched with advanced AI capabilities for detection engineering, with all AI features now accessible for free. Create high-quality detection code from raw threat reports, enable fast IOC conversion into custom hunting queries, predict ATT&CK tags, optimize query code with AI recommendations, gain from AI-assisted cross-platform translation capabilities, and more–all with a single solution.
Noodlophile Stealer Analysis
According to a recent report by Morphisec researcher Shmuel Uzan, instead of using traditional phishing tactics or pirated software sites, adversaries are creating realistic, AI-themed websites promoted through seemingly legitimate Facebook groups and viral social media campaigns.
Some posts on these pages have garnered over 62,000 views, suggesting the campaign specifically targets users seeking AI-based video and image editing tools. More specifically, these fraudulent pages include Luma Dreammachine AI, Luma Dreammachine, and gratistuslibros. Users directed to the social media posts are prompted to click on the links promoting AI-based content creation services, such as videos, logos, images, and websites.
The fake AI-generated videos distribute malware disguised as AI output, which is delivered after users upload their images for processing. Noodlophile Stealer, a new addition to the malware ecosystem, combines browser credential theft, wallet exfiltration, and optional remote access deployment. Unlike older malware campaigns, this one exploits AI as a social engineering tactic, targeting creators and small businesses exploring AI tools. Users unknowingly download a malicious payload that includes a newly discovered infostealer. Noodlophile Stealer communicates with attackers through a Telegram bot for exfiltration, and it is marketed in cybercrime marketplaces as part of MaaS, alongside account takeover tools. The developer, likely from Vietnam, was seen promoting this new method on social media.
After users upload their image or video prompts on the fake sites, they are prompted to download the supposed AI-generated content, but instead, they receive a malicious ZIP file named “VideoDreamAI.zip.” Inside the latter is a deceptive file named “Video Dream MachineAI.mp4.exe,” which triggers the infection process by running a legitimate executable tied to ByteDance’s video editor. This C++ executable launches a .NET-based loader, CapCutLoader, which eventually loads a Python payload from a remote server. The Python payload then deploys Noodlophile Stealer. In some cases, the stealer is bundled with a RAT, such as XWorm, providing attackers with persistent access to infected systems.
To stay ahead of increasingly advanced threats driven by malicious use of AI technologies, defenders are harnessing the power of GenAI to enhance large-scale cybersecurity protection and outpace attackers. SOC Prime Platform offers a fusion of cutting-edge technologies backed by AI, automation, and real-time threat intelligence to enable organizations outscale cyber threats, no matter their sophistication.
