These fraudulent sites, amplified through viral social media campaigns and Facebook groups with tens of thousands of views, lure users into uploading personal media, only to deliver a previously undocumented malware dubbed Noodlophile Stealer. According to the Morphisec team report exclusively shared with Cyber Security News, The campaign stands out for its exploitation of public enthusiasm for AI-powered tools, targeting creators and small businesses exploring productivity-enhancing technologies. As artificial intelligence (AI) tools gain mainstream traction for content creation, cybercriminals are capitalizing on the hype with a sophisticated new attack vector, fake AI platforms promising advanced video and image editing capabilities. The final payload includes a Noodlophile variant for credential theft and a Python-based XWorm loader with two propagation methods: in-memory shellcode injection or PE hollowing into RegAsm.exe to evade detection. Open-source intelligence (OSINT) investigations revealed Noodlophile being offered in cybercrime marketplaces as part of malware-as-a-service (MaaS) schemes, alongside tools for account takeover and credential theft. Noodlophile Stealer is a previously undocumented infostealer, combining browser credential theft, cryptocurrency wallet exfiltration, and optional RAT deployment. This malicious payload steals browser credentials, cryptocurrency wallets, and sensitive data, often deploying a remote access trojan (RAT) like XWorm for deeper system control. This file masquerades as a video but is a 32-bit C++ application, repurposing a legitimate video editing tool (CapCut, version 445.0) and signed with a fraudulent certificate to evade detection. The developer, likely Vietnamese based on language indicators and social media profiles, actively promotes the malware in related Facebook groups. A Python payload (srchost.exe), downloaded from a remote server, deploys Noodlophile Stealer and XWorm. The introduction of Noodlophile Stealer underscores the evolving malware landscape, with MaaS models enabling rapid proliferation. Users are urged to verify the legitimacy of AI platforms, avoid downloading files from untrusted sources, and employ robust security solutions to detect multi-stage threats.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 10 May 2025 08:55:04 +0000