New Infostealer and RAT Campaign Exfiltrates Sensitive Data via Fake AI Tools Lure

• Cybercriminals are leveraging the popularity of AI video and image generation platforms to distribute a new malware variant.
• Fake social media posts and websites disseminate Noodlophile Stealer and also XWorm RAT.
• The stealer targets browser credentials and cryptocurrency wallets and even offers remote access.

Attackers are using fake AI-powered platforms to lure unsuspecting users, delivering ransomware and data-stealing malware in the process. This social engineering strategy targets creators and small businesses eager to integrate AI into their workflows. 

Noodlophile Stealer has not been documented in public malware databases before, indicating it is a novel and highly specialized threat in the malware ecosystem. Particularly concerning is the malware's ability to harvest browser credentials, steal cryptocurrency wallets, and facilitate remote access, the latest Morphisec security report says.

The campaign gains traction through widespread social media posts and groups, including Facebook, where attackers promote fraudulent AI tools with enticing promises of free, advanced video and image editing capabilities.  

Once users upload images or videos to these false AI platforms, they receive a downloadable link for their "processed content." This link contains a malicious ZIP file, which includes an executable designed to install the Noodlophile Stealer on the victim's machine.  

Noodlophile's complex payload integrates not only credential-stealing capabilities but also deploys optional remote access trojans (RATs) such as XWorm, expanding its ability to control infected systems.  

Victims are redirected to fraudulent websites that mimic legitimate platforms offering free AI-driven services. The fake platform generates a ZIP archive (e.g., VideoDreamAI.zip), which contains a malicious file disguised as a video file (Video Dream MachineAI.mp4.exe).  

Executing this application initiates the malware delivery, using obfuscated files such as CapCut.exe and auxiliary components (AICore.dll). These files work together to extract secondary payloads hidden within encoded archives (Document.pdf).  

The malware harvests sensitive data, including browser cookies, session tokens, and cryptocurrency wallet information. If deployed, the XWorm trojan establishes RAT functionality, providing attackers with persistent access to compromised systems.  

Malicious files are disguised to appear harmless (e.g., as video editing software) and signed using legitimate-seeming certificates. 

Payloads are executed entirely in memory, evading traditional disk-based detection mechanisms, while the campaign employs bulk, non-semantic code obfuscation and Base64-encoded archives to delay detection and complicate analysis. 

Noodlophile uses Telegram bots for covert communication, sending stolen data back to its operators.