Cybercriminals exploit the AI content creation trend by promoting fake AI platforms on social media that deliver malware instead of content. The new Noodlophile Stealer targets browser credentials, crypto wallets, and deploys remote access trojans via disguised downloads. (Affected: individual users, content creators, small businesses)
Keypoints :
- Fake AI platforms lure users to upload images or videos, promising AI-generated content.
- Users unknowingly download malware packaged as AI output, primarily the new Noodlophile Stealer.
- Noodlophile Stealer harvests browser credentials, cryptocurrency wallets, and sensitive data.
- Attackers also deploy XWorm remote access trojan to gain deeper control of infected systems.
- The malware communicates with attackers via Telegram bots for covert data exfiltration.
- Infection involves a multi-stage process with disguised files and heavy obfuscation techniques.
- The main executable masquerades as legitimate video editing software (CapCut) to evade detection.
- Attack maintains persistence via registry Run keys and uses LOLBins like certutil for payload extraction.
- Malware loader dynamically executes Python-based payloads entirely in memory to avoid detection.
- The threat targets creators and small business users exploring AI tools, exploiting trust in emerging technologies.
MITRE Techniques :
- Phishing (T1566) – Use of fake AI content creation platforms to lure victims.
- Drive-by Compromise (T1189) – Victims download malicious executables disguised as AI-generated content.
- Execution through API (T1106) – Execution of LOLBins like certutil.exe for payload decoding.
- Command and Scripting Interpreter (T1059) – Use of PowerShell and batch scripts to orchestrate infection.
- Masquerading (T1036) – Executables named to resemble video files with misleading extensions and whitespace.
- Process Injection (T1055) – PE hollowing technique injecting payload into RegAsm.exe.
- Credential Dumping (T1003) – Harvesting browser credentials and cookies with Noodlophile Stealer.
- Remote Access Software (T1219) – Deployment of XWorm backdoor for system control.
- Registry Run Keys / Startup Folder (T1547) – Persistence established by adding scripts to registry Run keys.
- Data Staged (T1074) – Use of Telegram bot as C2 channel for exfiltrated data.
Indicator of Compromise :
- The article lists URLs linked to malicious ZIP payloads such as VideoLumaAI.zip hosted on fake AI service domains.
- IP addresses (85.209.87[.]207, 160.25.232[.]62) used for hosting payloads and scripts.
- Telegram API tokens and chat IDs serve as covert command and control channels for malware communication.
- File hashes of malicious archives, executables, and disguised scripts such as VideoDreamAI.zip and Document.docx enable signature detection.
- Obfuscated Python payloads executed in memory can be identified by unique script characteristics, including base85 and zlib decoding routines.
Read more: https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/
Views: 18