The way AI is taken advantage of to spread malware Noodlophile and steal personal data
Overview
Recently, cybersecurity researchers discovered a new attack campaign using malware called Noodlophile, targeting users curious about AI technology, especially AI video creation services.
The attackers create fake websites that are visually appealing, mimicking popular AI video creation platforms, to lure users into downloading malicious software or files under the guise of "free AI tools" or "trial AI video creators."
When users download and install these fake tools, the Noodlophile malware infiltrates the system, collects sensitive data, records keystrokes (keylogging), and even sets up a backdoor for attackers to remotely control and maintain exploitation on the system.
Software Information
Malware Name: Noodlophile
Type of Malware: Trojan/Spyware with backdoor and keylogger capabilities
Infection Method: Downloaded from fake websites posing as AI video creation platforms
Main Behavior: Keylogging, stealing browser information, setting up C2, sending data to the server
Target: Windows users, especially those interested in AI tools
Campaign Details
Initially, the campaign was reported to originate from an AI video creation software called VideoDream, with a sophisticated multi-stage process, including:
Downloaded from fake websites
Executing multiple different payloads
Hiding by renaming, encrypting, and persisting in the system
Finally deploying stealers: NodeStealer or XWorm
Initially, users are lured by hackers to visit a fake website offering AI video creation software (e.g., "Video Dream AI"). Here, users are prompted to download a ZIP file: VideoDreamAI.zip. This file is, of course, a malicious file with many potential risks.
After extracting the ZIP file, users will receive an executable file: Video Dream MachineAI.mp4_.exe. The attackers used a double extension .mp4_.exe to trick users into thinking this is a video file.
The malware will begin executing when the user runs the file Video Dream MachineAI.mp4_.exe. According to analysts, several actions will be performed:
Hide the file and mark it as "system + hidden" to avoid detection.
Create a folder with the fake version
5.0.01886.
The next step is for the malware to execute the file CapCut.exe, which pretends to be the popular video editing software, making it difficult for users to detect or suspect this malicious software. When executed, it will load the file AICore.dll, a malicious DLL that supports system intrusion and spreading. This DLL can act as an intermediate loader or coordinate other actions.
To continue hiding itself, the file CapCut.exe will be renamed to images.exe for use in the later stages of the campaign. Then, a text file Document.docx with fake content is renamed to a .bat file (install.bat) to prepare for the next stage of decoding and deploying the payload.
After that, the attackers use a legitimate Windows tool called certutil to decode a real PDF file and compress it into the file ppluqewlq.rar.
The attackers will use the file images.exe as a command-line tool to extract ppluqewlq.rar into the folder %LOCALAPPDATA%\SoftwareHost.
The attack ends with the execution of srchost.exe – a payload loader written in Python that injects the Noodlophile (and optionally XWorm) malware directly into memory, allowing the malware to operate silently without leaving traces on the disk. The malware will be downloaded from the IP address: 85.209.87.207.
Conclusion
The Noodlophile campaign is a sophisticated, multi-stage attack that uses evasion techniques, cleverly disguised files, and legitimate Windows tools. The main goal is to steal sensitive data and remotely control the victim's machine using NodeStealer or XWorm malware.
Always stay vigilant, keep your security systems updated, and raise awareness internally to protect your organization.
Recommendations
Identify risks and raise awareness
Do not trust websites promising free or "miraculous" AI unless verified by reputable sources.
Do not download software from links shared via email, social media, Discord, Telegram, etc. if the source is unclear.
Research thoroughly before using new AI tools – check the company name, community feedback, and reliable review sites.
Safe software downloading
Only download software from official websites (with SSL, verify the exact domain name).
Use tools like VirusTotal.com to scan downloaded files before running them.
Do not disable Windows Defender or the firewall when installing unclear software.
Personal technical measures
Install and update strong antivirus software (Kaspersky, Bitdefender, ESET, Windows Defender, etc.).
Use virtual machines (VMware, VirtualBox) to test untrusted software.
Always enable alert mode on your browser to receive warnings when accessing suspicious websites.
IOC
Domain & URL
IP
149.154.167.220
103.232.54[.]13:25902
Telegram
7882816556:AAEEosBLhRZ8Op2ZRmBF1RD7DkJIyfk47Ds
7038014142:AAHF3pvRRgAVY5vP4SU6B2YES4BH1LEhtNo
Chat IDs
4583668048, 4685307641, 4788503251
1002565449208, 1002633555617
File Hashes
5c98553c45c9e86bf161c7b5060bd40ba5f4f11d5672ce36cd2f30e8c7016424
67779bf7a2fa8838793b31a886125e157f4659cda9f2a491d9a7acb4defbfdf5
11C873CEE11FD1D183351C9CDF233CF9B29E28F5E71267C2CB1F373A564C6A73
32174d8ab67ab0d9a8f82b58ccd13ff7bc44795cca146e61278c60a362cd9e15
86d6dd979f6c318b42e01849a4a498a6aaeaaaf3d9a97708f09e6d38ce875daa
