Cybercriminals are increasingly exploiting the hype around artificial intelligence by using fake AI tools to distribute information-stealing malware. A recent campaign uncovered by cybersecurity firm Morphisec reveals how attackers are luring unsuspecting users with AI-themed websites and viral social media content to deliver a new stealer malware dubbed Noodlophile.
Unlike traditional phishing tactics, this operation stands out for its use of convincing fake AI services—especially tools that claim to offer video editing, image generation, and logo creation powered by advanced AI. These fraudulent platforms are widely promoted through legitimate-looking Facebook groups and viral posts, many of which have attracted tens of thousands of views.
How the Fake AI Tool Scam Works
Victims are first exposed to malicious posts on pages such as Luma Dreammachine AI, Luma Dreammachine, and gratistuslibros. These posts advertise fake services like “AI video editors” or “AI content creators” and redirect users to fraudulent websites posing as trusted tools like CapCut AI.
On these sites, users are encouraged to upload video or image prompts with the promise of receiving AI-generated content in return. However, when users download the output, they receive a ZIP file—“VideoDreamAI.zip”—containing a disguised executable named “Video Dream MachineAI.mp4.exe.”
This executable initiates a multi-stage infection chain:
- It runs a legitimate CapCut binary (
CapCut.exe). - That binary loads a .NET-based loader called
CapCutLoader. - The loader pulls a Python-based payload (
srchost.exe) from a remote server. - Finally, the Python script deploys the Noodlophile Stealer, a malware designed to harvest sensitive data.
The stealer targets browser-stored credentials, crypto wallet data, and other personal information. In some cases, the infection also includes XWorm, a remote access trojan that grants attackers long-term control over the system.
Developer Tied to Vietnam’s Cybercrime Ecosystem
The creator behind Noodlophile is believed to be a developer from Vietnam, based on a GitHub account created in March 2025. The account openly describes the individual as a “passionate Malware Developer from Vietnam.” This adds to the growing evidence that Southeast Asia—particularly Vietnam—remains a hub for cybercrime, especially malware targeting social media users and financial data.
This isn’t the first time bad actors have used AI to spread malware. In 2023, Meta reported removing over 1,000 malicious URLs that abused the popularity of OpenAI’s ChatGPT to distribute malware. At least 10 malware families were linked to these lures.
The rise in fake AI tools is happening alongside the emergence of other stealer malware. Cybersecurity firm CYFIRMA recently reported a new .NET-based malware dubbed PupkinStealer. While simpler in design, it still poses a serious threat.
PupkinStealer lacks anti-analysis features or persistence tactics, but uses Telegram bots to exfiltrate stolen data quietly. It targets a broad range of files and system information, exemplifying a minimalist yet highly effective form of cyberattack.
These campaigns highlight a disturbing trend: fake AI tools malware is becoming a go-to strategy for threat actors. By mimicking popular AI products, attackers trick users into downloading malware disguised as productivity tools. The tactic preys on growing public interest in AI, especially among creators, marketers, and developers.
Cybersecurity experts are urging users to stay cautious, especially when downloading AI tools promoted on social media. Verifying the legitimacy of AI platforms and avoiding files with double extensions like .mp4.exe can help reduce the risk of infection.
