Cybersecurity researchers have discovered a new, sophisticated attack method aimed at users of AI tools. Known as the Noodlophile Stealer, this previously unknown malware is spread through fake AI video-generation websites promoted in Facebook groups and on other social media. The attack plays on growing interest in AI content creation and tricks victims with promises of advanced video editing so they will install the malware. It combines social engineering with technical tricks to steal sensitive information—like browser passwords and cryptocurrency wallet data—via a Trojan.
Instead of using traditional phishing or software piracy, attackers build convincing websites that copy real AI video platforms. These fake sites are heavily promoted in Facebook groups and through social media campaigns; some posts have over 62,000 views. The attackers focus on individual content creators and small businesses that use AI to boost productivity, since these users often have less experience spotting malware.
When someone visits a fake platform, they are asked to upload their own images or videos for AI processing. After choosing options, they receive a download link claiming to contain the AI-generated video. In reality, the download hides malicious code that begins the infection chain.
Once opened, a ZIP archive named VideoDreamAI.zip12 is saved. Inside is an executable called Video Dream MachineAI.mp4.exe, which uses spaces and a misleading “.mp4.exe” extension to look like a video file. This 32-bit C++ application is signed with a fake certificate made with Winauth, helping it evade detection.
The Noodlophile Stealer is new to the malware ecosystem and has not appeared in public malware trackers or reports. It can:
-
Steal passwords saved by web browsers
-
Steal cryptocurrency wallet data
-
Install Trojans to maintain control and allow further remote access
The malware sends stolen data via a Telegram bot, letting attackers leak information without relying on a dedicated server that could be blocked or shut down.
OSINT (open-source intelligence) investigations show that Noodlophile is offered as “malware-as-a-service” (MaaS) on cybercrime marketplaces. Language clues and social media profiles suggest the developer is Vietnamese. They actively promote the malware in related Facebook groups to expand its reach.
Defending against the threat
-
Be cautious with AI platforms advertised on social media or third-party websites.
-
Legitimate AI tools are usually available on well-known corporate websites or in verified app stores.
-
Always check the file extension of any downloaded program before opening it.
This simple vigilance can help protect you from fake AI video-generation scams.
