Fake AI Video Generation Platforms Drop Stealer Malware on Your Computers

Cybercriminals are leveraging the rising popularity of AI content creation by launching fake video editing platforms that secretly deliver advanced malware to unsuspecting users. A new campaign uncovered by the Morphisec team exposes how these fraudulent sites are spreading a stealthy infostealer named Noodlophile Stealer.

Disguised as AI tools for video and image editing, the fake platforms attract users through viral Facebook posts and social media campaigns. Once users upload their personal media, they’re prompted to download a file supposedly containing their AI-processed content. However, the download, typically named VideoDreamAI.zip, carries a malicious executable (Video Dream MachineAI.mp4.exe) that triggers a complex infection chain.

This executable, designed to mimic a real video file, is a tampered version of CapCut (version 445.0) signed with a forged certificate. Upon launching, it installs the Noodlophile Stealer and, in some cases, a remote access trojan known as XWorm.

Noodlophile Stealer is a newly identified malware that exfiltrates browser credentials, cryptocurrency wallets, and other sensitive data. It communicates with attackers through Telegram bots, allowing covert data theft. OSINT investigations reveal that this malware is being sold on underground forums as part of Malware-as-a-Service (MaaS) offerings.

The infection unfolds in several stages:

• The CapCut.exe binary initiates the attack, running .NET code to bypass detection.
• A disguised batch file, originally named Document.docx, triggers the extraction of a password-protected archive (Document.pdf) using Windows tools.
• This archive contains Python components and payloads that install the stealer and RAT.
• XWorm is deployed through memory injection or executable hollowing techniques, making it harder to detect.

This attack highlights how threat actors are exploiting public trust in AI tools to target creators, influencers, and small businesses. The emergence of Noodlophile Stealer underlines the rapid evolution of the cybercrime landscape, especially with MaaS enabling quick and widespread deployment.

Experts urge users to avoid downloading files from unfamiliar AI platforms, verify tool authenticity, and use comprehensive cybersecurity solutions to guard against such layered threats.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: cybersecuritynews.com