Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Threat actors use fake AI tools to deliver the information stealer Noodlophile

Threat actors use fake AI tools to trick users into installing the information stealer Noodlophile, Morphisec researchers warn. Morphisec researchers observed attackers exploiting AI hype to spread malware via fake AI tools promoted in viral posts and Facebook groups. Users seeking free AI video tools unknowingly download Noodlophile Stealer, a new malware that steals browser […]

fake AI tools

Threat actors use fake AI tools to trick users into installing the information stealer Noodlophile, Morphisec researchers warn.

Morphisec researchers observed attackers exploiting AI hype to spread malware via fake AI tools promoted in viral posts and Facebook groups. Users seeking free AI video tools unknowingly download Noodlophile Stealer, a new malware that steals browser credentials, crypto wallets, and may install remote access trojans like XWorm.

The experts pointed out that Noodlophile Stealer is a previously undocumented malware. Noodlophile is being sold on cybercrime forums as part of malware-as-a-service schemes, often bundled with tools for credential theft. The developer, likely Vietnamese, has been seen actively engaging in related Facebook posts.

Fake AI tools spread via social media and scam websites like “Dream Machine” or “CapCut” bait users into uploading media.

Morphisec observed fake AI tool posts with over 62,000 views per post lure users seeking free video/image editors, but instead deliver malware disguised as AI-generated content.

Victims are tricked into downloading malware such as Noodlophile or XWorm, which steals credentials, crypto wallets, and can grant attackers remote access to infected systems.

Users are tricked into downloading a malicious ZIP (“VideoDreamAI.zip”) after uploading media. It contains a fake video file (“Video Dream MachineAI.mp4.exe”) that launches a legitimate CapCut binary.

“The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth. Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.” reads the report published by the researchers.

“The main objective of this binary is to locate and execute a secondary file, CapCut.exe, from a folder within its current directory. “

This triggers a .NET loader (“CapCutLoader”) which fetches and runs a Python-based malware (“srchost.exe”).

The Python binary deploys Noodlophile Stealer, which extracts browser credentials, crypto wallet data, and sometimes includes XWorm for remote system access.

The report includes Indicators of Compromise (IOCs) for this campaign

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, fake AI tools)