Caution! Fake AI Videogenization platforms drop steal malware fall on their computers

Since the Tools for Artificial Intelligence (AI) obtain the mainstream traction for the creation of content, cybercriminals use the hype with a highly developed new attack vector, fake AI platforms that promise extended video and image processing functions.

These fraudulent websites, which are reinforced by viral social media campaigns and Facebook groups with tens of thousands of views, attract users into personal media, only to provide a previously undocumented malware that is synchronized Noodlophilic theft.

This malicious payload steals browser login information, cryptocurrency money exchanges and sensitive data that often provide a remote access -trojan (rats) Xworm For a deeper system control.

The bait: fake KI platforms

According to the Morphisec team report, which was exclusively shared with cyber security messages, the campaign for the exploitation of public enthusiasm for AI-driven tools and the exploration of technologies for productivity disorders and small businesses is emphasized.

In contrast to conventional phishing or pirated copies -software fraudsters, these attackers create convincing websites that imitate legitimate AI services, such as: B. platforms of video.

Social media contributions, especially on Facebook, lead traffic to these websites. A contribution alone achieves over 62,000 views.

Users are prompted to upload images or videos in return. Instead, you are asked to download a malicious file that is disguised as a “processed” edition.

The downloaded file, often a zip archive with the name Videodreamai.zipContains an executable file misleadingly with the title ” Video Dream Machineai.mp4.exe.

This file masked as a video, but is a 32-bit C ++ application that takes over a legitimate video editing tool (Capcut, version 445.0) and is signed with a fraudulent certificate in order to escape the detection. During the execution, it initiates a multi -stage infection chain that is used Noodlophilic theft and in some cases, Xworm.

Noodlophilic theft

Noodlophilic theft is a previously undocumented info lane, the browser -theft, cryptocurrency letter bags -Exiltration and optional rat provision.

The modular design and the veiled delivery make it an impressive addition to the malware ecosystem. The malware communicates stolen data via a telegram bot, which enables hidden exiltration.

Open Source Intelligence (Osing) Investigations revealed Noodlophilic In cybercrime marketplaces as part of the Maas schemata (Malware-as-A-Service), and tools for the takeover of account and cancellation information.

The developer, probably Vietnamese, based on language indicators and social media profiles, actively promotes the malware in related Facebook groups.

The attack chain

The infection begins when users interact with a fake AI website, upload the media and download the malicious zipper. Inside a hidden folder (5.0.0.1886) Contains key components:

• Capcut.exe: A 140 MB C ++ binary embedding of a .NET term wrapper for the loading of malicious .NET code-in-memory, with static scanners being withdrawn. It contains 275 embedded PE files, mostly .Net -assemblies, for the modular covering.
• Aicore.dll: A helper -dll with a single active export (cmdhelper) for execution of external commands.
• Document.pdf: A basic 64-coded, password-protected RAR archive, which is disguised as a PDF and contains cpython components.
• Document.docx: A stacking file that masked as a Word document, which is encoded with FF -FE -FE -FE -FE -markers to hinder the analysis. Renamed in install.batIt orchestrates the infection.
• Meta: A Win-Rar utility, renamed to Pictures.exeTo extract the RAR archive.

The infection is as follows:

1. Capcut.exe Start with the embedded .NET logic to call up Capcutloader.
2. Capcutloader Checks the connectivity through pinging Google.com and names disguised files around (Document.docx To install.batPresent Meta To Pictures.exe).
3. install.bat Decodes Document.pdf used in a rare archive certutil.exeextract it with a hard -coded password (Tongduckiemdeveloper2025) and registers dominate Windows registration.
4. A Python -Nutz load (srchost.exe), prepared by a remote server, prepared, Noodlophilic theft And Xworm.

The final payload includes A Noodlophilic Variant for the theft of login information and a python-based basis Xworm Loaders with two methods of propagation: in-memory shell code injection or PE outdoor in Regasm.exe To avoid discovery.

The campaign employs advanced veiling, including Base85 Decoding, Zlib Decompression and Python's Marshal Module for the execution of Payoads in Memory and to avoid hard disk base.

A Python script (Randomuser2025.txt) Contains 10,000 redundant processes to break automated analysis tools. The use of legitimate tools such as certutil.exe And Regasm.exe The detection further complicates.

This campaign shows the growing sophistication of cybercriminals when using new technologies. By trusting AI, attackers target a broader, less skeptical audience.

The introduction of Noodlophilic theft The developing malware landscape underlines, whereby the Maas models enable quick distribution.

Users are asked to check the legitimacy of AI platforms, download files from non-trustworthy sources and use robust security solutions in order to recognize multi-stage threats.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.