New Malware Campaign Targets Users with Fake AI Video Editing Tools
EJ
AI Hype Exploited for Malware Distribution
Cybercriminals are leveraging the popularity of artificial intelligence to distribute a new information-stealing malware known as Noodlophile. This campaign stands out for its use of polished, AI-themed websites and social media pages that appear legitimate, but are in fact fronts for malicious activity.
Promoted through Facebook groups with names like “Luma Dreammachine AI” and “gratistuslibros,” these platforms lure users with promises of advanced image, video, and logo creation tools. Posts from these pages have reached over 62,000 views, highlighting the scale and success of the operation.
From Social Media to System Compromise
The attack begins when users interact with these fraudulent AI websites and upload prompts for supposed content generation. In return, they are prompted to download what appears to be the finished product—delivered as a ZIP archive.
The ZIP contains a deceptive file that, when executed, launches a legitimate CapCut binary to reduce suspicion. Behind the scenes, a .NET-based loader installs a Python-based payload that downloads and runs the Noodlophile Stealer.
This method of combining legitimate software with malicious loaders allows the attackers to maintain a low profile while executing their infection chain.
Capabilities of Noodlophile Stealer
Once installed, Noodlophile is designed to extract a wide range of sensitive information. This includes saved browser credentials, cryptocurrency wallet details, and potentially other confidential user data. In certain variants, the malware also deploys XWorm, a remote access trojan (RAT) that allows attackers to maintain persistent access to the compromised system.
The malware developer, believed to be based in Vietnam, has openly described themselves as a “passionate malware developer” on GitHub—an example of how some threat actors are now operating in the open.
Implications for Credit Unions
This threat is especially relevant for smaller credit unions, where employees may explore free or trending AI tools to enhance marketing, communications, or member engagement. Platforms like Facebook, commonly used by credit unions for community outreach, are also where these malicious tools are being advertised.
A single compromised device—especially one tied to business operations—can lead to credential theft, unauthorized access to sensitive systems, and ultimately financial or reputational damage.
Emerging Trend: AI-Themed Malware Campaigns
This is part of a broader pattern. In 2023, Meta reported that it had taken down more than 1,000 malicious links exploiting interest in AI, particularly ChatGPT, to distribute malware. The Noodlophile campaign follows a similar model but with enhanced social engineering tactics and a focus on multimedia content creation.
The use of legitimate-looking branding and downloadable binaries disguised as familiar tools shows how threat actors are adapting their strategies to align with trending technologies.
Risk Mitigation Considerations
To reduce exposure to these types of threats, credit unions need to reinforce internal awareness around the risks of downloading unverified AI tools—especially those found via social media. Limiting employee ability to install unauthorized software, deploying modern endpoint protection, and routinely monitoring systems for suspicious behavior are all advisable measures.
Even without advanced persistence or obfuscation techniques, simple but effective malware like Noodlophile can cause significant harm if not caught early
AI as a Double-Edged Sword
As artificial intelligence continues to shape the tools we use daily, it’s also becoming a powerful weapon for cybercriminals. The same curiosity that drives employees to explore new platforms can become a point of compromise if precautions aren't taken. If you feel your company needs assistence in compating the rising AI threat, TechHorizon Consulting has the experance to assist you with staying protected in todays everchanging cyber landscape.