Do Son 
Fake AI-powered video generation platforms have emerged as a new front for disseminating a dangerous malware strain known as Noodlophile—a previously undocumented infostealer capable of exfiltrating data directly from system memory.
Masquerading as cutting-edge platforms with names like “Dream Machine,” these deceptive websites are promoted via sponsored posts in popular Facebook* groups.
Users are lured into downloading what is allegedly an AI-generated video, but in reality, they receive a ZIP archive containing a malicious executable disguised as a media file.
Inside the archive lies an executable named “Video Dream MachineAI.mp4.exe”, which may appear to be a standard video clip—especially on systems where file extensions are hidden by default in Windows. In truth, it is a 32-bit C++ application digitally signed using a certificate generated via Winauth. To evade suspicion and antivirus detection, it impersonates the legitimate video editing software CapCut.
Upon execution, the trojan initiates a command sequence, including a BAT script that leverages the built-in Windows utility certutil.exe to extract an encrypted archive disguised as a PDF file. Concurrently, it creates a registry key to ensure persistence across reboots.
The malware then covertly launches a file named “srchost.exe”, which connects to a remote server to retrieve an encrypted Python script dubbed “randomuser2025.txt.” This script executes the primary payload—Noodlophile Stealer—entirely in system memory.
If Avast antivirus is detected on the infected host, the malware employs a PE-hollowing technique to inject its code into the legitimate process RegAsm.exe. In other scenarios, it resorts to direct shellcode injection.
According to Morphisec, Noodlophile targets browser-stored credentials, session cookies, authentication tokens, and cryptocurrency wallet files. All stolen data is exfiltrated through a Telegram bot, which functions as a covert command-and-control channel.
Some Noodlophile variants are bundled with the XWorm RAT tool, granting attackers full remote control over compromised systems.
Threat actors—believed to be Vietnamese-speaking—are distributing the malware under a malware-as-a-service scheme, offering bundled subscription plans with features such as “Get Cookie + Pass.” First detected by researchers at Morphisec, Noodlophile had not appeared in prior public reports or malware databases.
To guard against such attacks, users are strongly advised to avoid downloading content from unverified sources—especially if it is disguised as multimedia. Enabling file extension visibility in Windows and scanning all downloads with up-to-date antivirus software are essential precautions.
Donate