Noodlophile is a new information stealer malware that targets data stored on web browsers like account credentials, session cookies, tokens, and cryptocurrency wallet files. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers. In some cases, Noodlophile is bundled with XWorm, a remote access trojan, giving the attackers elevated data theft capabilities that go well beyond the passive stealing facilitated by the info-stealer. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Fake AI-powered video generation tools are being used to distribute a new information-stealing malware family called 'Noodlophile,' under the guise of generated media content. Next, the script executes 'srchost.exe,' which runs an obfuscated Python script (randomuser2025.txt) fetched from a hardcoded remote server address, eventually executing the Noodlophile Stealer in memory. According to Morphisec, Noodlophile is being sold on dark web forums, often bundled with "Get Cookie + Pass" services, so it's a new malware-as-a-service operation linked to Vietnamese-speaking operators. "The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec. Stolen data is exfiltrated via a Telegram bot, which serves as a covert command and control (C2) server, giving attackers real-time access to stolen information. Although the use of AI tools to deliver malware isn't a new concept and has been adopted by experienced cybercriminals, the discovery of the latest campaign by Morphisec introduces a new infostealer into the mix. Instead, the ZIP contains a deceptively named executable (Video Dream MachineAI.mp4.exe), and a hidden folder with various files needed for the subsequent stages. Once the victim visits the malicious website and uploads their files, they receive a ZIP archive that is supposed to contain an AI-generated video. Always verify file extensions before opening, and scan all downloaded files on an up-to-date AV tool before executing. "Noodlophile Stealer represents a new addition to the malware ecosystem. The best way to protect from malware is to avoid downloading and executing files from unknown websites.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 10 May 2025 15:45:06 +0000