InfoTeaner aims at users about fake AI video sites

The campaign uses platforms of the sham generation to distribute the Nootlophil -Steamer, previously undocumented malware, the browser registration information, session cookies, cryptocurrency money exchanges and sensitive documents and have found researchers from Morphisec

The exploitation of AI through the campaign as a social engineering lure makes it unique, said researchers. “In contrast to older malware campaigns, which are disguised as pirated copies or play participation, this operation is aimed at a newer, more trusting audience: Creator and small companies that explore AI for productivity,” she said.

The attackers create websites with names such as “Dream Machine” and “Video Dream Ai”, which they advertise in Facebook groups with high visibility, a few over 60,000 views. Visitors are asked to upload pictures or videos for the transformation of AI-powered videos. Instead of returning the promised media file, the websites deliver a zip archive with a misleadingly mentioned executable file, called video dream machineai.mp4.exe and a hidden folder from support components.

Morphisec said that the executable file is signed with a certificate generated by Winauth. “Despite his misleading name [suggesting an .mp4 video]This binary file is actually a rebuilt version of Capcut, a legitimate video editing tool. This deceptive name and the certificate help to suspect users and some security solutions, “said the researchers.

The binary of the execution starts a embedded .NET loader within CapCut.exewhich renamed a disguised stack script and executes, which is originally documented .Docx. This script uses the legitimate Windows utility program certutil.exe To decode a basic 64-coded, password-protected RAR archive as a document. A python-based payload called Srchost.exe is then carried out.

The last stage gets a remote script. randomuser2025.txtThis completely uses Nootlophile theft in the memory. When the antivirus product AVAST is detected regAsm.exe. Otherwise, it uses the Shell code injection. Stolen data is pectated by a telegram bot, which grants attackers in real time to access to harvested login information, cookies, tokens and item handicrafts.

Open source investigations combine Nootlophils with Vietnamese-speaking Darknet forums, in which it is offered as part of a Malware-as-a-service package, which are often bundled with “Get Cookie + Pass” on the takeover of account. The operators promote and support these fake AI platforms via social media profiles that are bound to the same handles.