Cybersecurity researchers at Morphisec have uncovered a sophisticated malware campaign that exploits the growing enthusiasm for artificial intelligence technologies to distribute the dangerous Noodlophile infostealer. The operation leverages fake AI-powered video generation platforms to trick users into downloading malicious software, highlighting a concerning trend in cyber threat evolution.
Campaign Infrastructure and Social Engineering Tactics
The threat actors have established a network of fraudulent websites advertising advanced AI video generation services, primarily promoting a platform called “Dream Machine.” These deceptive campaigns have gained significant traction on social media, accumulating over 62,000 views and targeting users interested in AI-powered video and image editing capabilities. When victims attempt to access the service, they receive a ZIP archive containing disguised malware instead of the promised video processing tools.
Technical Analysis of the Malware Deployment Chain
The malware distribution mechanism employs sophisticated social engineering techniques, delivering the payload through a deceptively named executable: “Video Dream MachineAI.mp4.exe”. This malicious file is actually a modified version of the legitimate CapCut video editor, digitally signed with a Winauth certificate to bypass security controls. The infection chain utilizes a complex execution sequence involving legitimate Windows utilities and heavily obfuscated scripts.
Noodlophile Infostealer Capabilities
The Noodlophile malware, believed to be developed by Vietnamese threat actors, demonstrates advanced data exfiltration capabilities. It specifically targets sensitive browser data, including:
– Stored login credentials
– Browser cookies and active sessions
– Authentication tokens
– Cryptocurrency wallet information
The stolen data is exfiltrated through a covert command-and-control channel implemented via a Telegram bot infrastructure.
Threat Evolution and Distribution Model
Security researchers have identified that Noodlophile operates under a malware-as-a-service (MaaS) model, being distributed through darknet markets alongside “Get Cookie + Pass” services. The malware has been observed working in conjunction with the XWorm Remote Access Trojan, significantly expanding the attackers’ system compromise capabilities and potential damage scope.
This emerging threat campaign demonstrates the increasing sophistication of cybercriminals in adapting their tactics to exploit current technological trends. Organizations and individuals should implement robust security measures, including careful verification of software sources, proper file extension checking, and enhanced endpoint protection solutions. The cybersecurity community strongly advises against downloading executable files from unverified AI service platforms, as legitimate AI tools typically operate through web-based interfaces or official app store distributions.
