# The way AI is taken advantage of to spread malware Noodlophile and steal personal data

## **Overview**

Recently, cybersecurity researchers discovered a new attack campaign using malware called **Noodlophile**, targeting users curious about AI technology, especially AI video creation services.

The attackers create **fake websites** that are visually appealing, mimicking popular AI video creation platforms, to lure users into downloading malicious software or files under the guise of "free AI tools" or "trial AI video creators."

When users download and install these fake tools, the **Noodlophile** malware infiltrates the system, collects sensitive data, records keystrokes **(keylogging)**, and even sets up a backdoor for attackers to remotely control and maintain exploitation on the system.

![AI-gen](https://cdn-0.securityonline.info/wp-content/uploads/2025/05/AI-gen-1024x563.webp align="center")

## **Software Information**

**Malware Name:** Noodlophile

**Type of Malware:** Trojan/Spyware with backdoor and keylogger capabilities

**Infection Method:** Downloaded from fake websites posing as AI video creation platforms

**Main Behavior:** Keylogging, stealing browser information, setting up C2, sending data to the server

**Target:** Windows users, especially those interested in AI tools

## **Campaign Details**

Initially, the campaign was reported to originate from an AI video creation software called **VideoDream**, with a sophisticated multi-stage process, including:

* **Downloaded from fake websites**
    
* **Executing multiple different payloads**
    
* **Hiding by renaming, encrypting, and persisting in the system**
    
* **Finally deploying stealers: NodeStealer or XWorm**
    

![Fake AI Tools Used to Spread Malware](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1EpYii2DPp5eRAUVcN5V2Q_jmAWm1yUzAJJQFsCVYtVVvG2qNFqi1qi_RfB8FO9P4FlHNNV6P4T9Ooq7jXIL15tYo2gY6liyqnD3dnJcQC0kr0PinoCAh5rcVnbEnSuQOq4z8-ZiRvx4d0BIUmPAEabbnyXQMMdLhvhRm93S9i6dLZnOUjsGuL-CI-whb/s728-rw-e365/VideoDream_AI_Diagram_5.png align="center")

Initially, users are lured by hackers to visit a fake website offering AI video creation software **(e.g., "Video Dream AI").** Here, users are prompted to download a ZIP file: `VideoDreamAI.zip`. This file is, of course, a malicious file with many potential risks.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747195037896/8cea2164-6b4b-461b-a152-7205bfb2c154.png align="center")

After extracting the ZIP file, users will receive an executable file: `Video Dream MachineAI.mp4_.exe`. The attackers used a **double extension** `.mp4_.exe` to trick users into thinking this is a video file.

The malware will begin executing when the user runs the file `Video Dream` `MachineAI.mp4_.exe`. According to analysts, several actions will be performed:

* Hide the file and mark it as **"system + hidden"** to avoid detection.
    
* Create a folder with the fake version `5.0.01886`.
    

The next step is for the malware to execute the file `CapCut.exe`, which pretends to be the popular video editing software, making it difficult for users to detect or suspect this malicious software. When executed, it will load the file `AICore.dll`, a **malicious DLL** that supports system intrusion and spreading. This DLL can act as an **intermediate loader** or coordinate other actions.

To continue hiding itself, the file `CapCut.exe` will be renamed to `images.exe` for use in the later stages of the campaign. Then, a text file `Document.docx` with fake content is renamed to a `.bat` file (`install.bat`) to prepare for the next stage of **decoding and deploying the payload**.

After that, the attackers use a legitimate Windows tool called `certutil` to decode a real PDF file and compress it into the file `ppluqewlq.rar`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747197108620/ccd5a369-aa28-412a-aabb-9a427832d13c.png align="center")

The attackers will use the file `images.exe` as a command-line tool to extract `ppluqewlq.rar` into the folder `%LOCALAPPDATA%\SoftwareHost`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747197715980/cbaae53e-b846-4b6e-a060-0f89122b64e7.png align="center")

The attack ends with the execution of `srchost.exe` – a payload loader written in Python that injects the **Noodlophile (and optionally XWorm)** malware directly into memory, allowing the malware to operate silently without leaving traces on the disk. The malware will be downloaded from the IP address: **85.209.87.207**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747197837365/c762817c-a0ef-401c-a13e-c710fdda6dd3.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747197854153/037c95b7-0313-4b11-8268-0b6903c3b0ff.png align="center")

## **Conclusion**

The Noodlophile campaign is a **sophisticated, multi-stage attack** that uses **evasion techniques**, cleverly disguised files, and legitimate Windows tools. The main goal is to **steal sensitive data** and **remotely control the victim's machine** using NodeStealer or XWorm malware.

Always stay vigilant, keep your security systems updated, and raise awareness internally to protect your organization.

## **Recommendations**

1. **Identify risks and raise awareness**
    
    * **Do not trust websites promising free or "miraculous" AI** unless verified by reputable sources.
        
    * **Do not download software from links shared via email, social media, Discord, Telegram, etc.** if the source is unclear.
        
    * **Research thoroughly before using new AI tools** – check the company name, community feedback, and reliable review sites.
        
2. **Safe software downloading**
    
    * **Only download software from official websites** (with SSL, verify the exact domain name).
        
    * Use tools like **VirusTotal.com** to scan downloaded files before running them.
        
    * **Do not disable Windows Defender** or the firewall when installing unclear software.
        
3. **Personal technical measures**
    
    * Install and update **strong antivirus software** (Kaspersky, Bitdefender, ESET, Windows Defender, etc.).
        
    * Use **virtual machines (VMware, VirtualBox)** to test untrusted software.
        
    * Always **enable alert mode on your browser** to receive warnings when accessing suspicious websites.
        

## **IOC**

1. **Domain & URL**
    
    * [http://lumalabs-dream\[.\]com/VideoLumaAI.zip](http://lumalabs-dream[.]com/VideoLumaAI.zip)
        
    * [https://luma-dreammachine\[.\]com/LumaAI.zip](https://luma-dreammachine[.]com/LumaAI.zip)
        
    * [https://luma-dreammachine\[.\]com/File\_Successful.zip](https://luma-dreammachine[.]com/File_Successful.zip)
        
    * [https://luma-aidreammachine\[.\]com/Creation\_Luma.zip](https://luma-aidreammachine[.]com/Creation_Luma.zip)
        
    * [https://85.209.87\[.\]207/sysdi/randomuser2025.txt](https://85.209.87[.]207/sysdi/randomuser2025.txt)
        
    * [http://160.25.232\[.\]62/bee/bee02\_ads.txt](http://160.25.232[.]62/bee/bee02_ads.txt)
        
2. **IP**
    
    * 149.154.167.220
        
    * 103.232.54\[.\]13:25902
        
3. **Telegram**
    
    * 7882816556:AAEEosBLhRZ8Op2ZRmBF1RD7DkJIyfk47Ds
        
    * 7038014142:AAHF3pvRRgAVY5vP4SU6B2YES4BH1LEhtNo
        
4. **Chat IDs**
    
    * 4583668048, 4685307641, 4788503251
        
    * 1002565449208, 1002633555617
        
5. **File Hashes**
    
    * 5c98553c45c9e86bf161c7b5060bd40ba5f4f11d5672ce36cd2f30e8c7016424
        
    * 67779bf7a2fa8838793b31a886125e157f4659cda9f2a491d9a7acb4defbfdf5
        
    * 11C873CEE11FD1D183351C9CDF233CF9B29E28F5E71267C2CB1F373A564C6A73
        
    * 32174d8ab67ab0d9a8f82b58ccd13ff7bc44795cca146e61278c60a362cd9e15
        
    * 86d6dd979f6c318b42e01849a4a498a6aaeaaaf3d9a97708f09e6d38ce875daa
        

## **Reference**

1. [Noodlophile Malware Targets Users via Fake AI Video Generation Sites](https://cyberpress.org/noodlophile-malware-targets-users/)
    
2. [AI Tools Turn Trojan: Fake Video Platforms Drop Noodlophile Stealer and XWorm Payloads](https://securityonline.info/ai-tools-turn-trojan-fake-video-platforms-drop-noodlophile-stealer-and-xworm-payloads/)
    
3. [Fake AI Tools Used to Spread Noodlophile Malware, Targeting 62,000+ via Facebook Lures](https://thehackernews.com/2025/05/fake-ai-tools-used-to-spread.html)
