Full Report
Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile. "Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns,"
Analysis Summary
# Tool/Technique: Noodlophile Stealer
## Overview
Noodlophile is an information stealer malware distributed via social engineering campaigns that lure victims with fake AI-powered content creation tools advertised on platforms like Facebook. Over 62,000 views were observed on some promotional posts, exploiting interest in AI tools for video and image editing.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (implied by reliance on CapCut.exe, a Windows binary)
- Capabilities: Harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. Can be bundled with RATs like XWorm.
- First Seen: Recent campaign identified, developer's GitHub was created on March 16, 2025.
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on functions (stealing information and execution chain).*
- [TA0001 - Initial Access]
- [T1566 - Phishing] (Social media lures are a form of phishing/spearphishing)
- [TA0005 - Defense Evasion]
- [T1218 - Signed Binary Proxy Execution] (Use of legitimate CapCut.exe)
- [TA0010 - Exfiltration]
- [T1041 - Exfiltration Over C2 Channel] (Implied, as data is stolen)
## Functionality
### Core Capabilities
- Information Stealing: Specifically targets browser credentials and cryptocurrency wallet information.
- Payload Delivery: Utilizes a multi-stage infection chain involving a loader and a final Python payload.
### Advanced Features
- Social Engineering Lure: Leverages high-interest topics (Fake AI Tools like Luma Dreammachine Al, CapCut AI) distributed via seemingly legitimate social media groups.
- Execution Chain: Executes a legitimate binary (`CapCut.exe`) to launch a **.NET-based loader** (`CapCutLoader`), which then fetches and runs the final **Python payload** (`srchost.exe`) from a remote server.
- Payload Staging: The final payload, Noodlophile Stealer, is a Python binary.
- Bundling: Select variants are bundled with a Remote Access Trojan (RAT), specifically **XWorm**, for persistent access.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names:
- Downloaded Archive: `VideoDreamAI.zip`
- Executable Lure: `Video Dream MachineAI.mp4.exe`
- Python Payload: `srchost.exe`
- Registry Keys: [Not provided in context]
- Network Indicators:
- C2 communication for the Python payload staging. (Specific IPs/Domains defanged: None explicitly detailed, only references to a "remote server").
- Behavioral Indicators:
- Execution of a legitimate CapCut binary (`CapCut.exe`) to load a dynamic file or process.
- Installation/execution of a .NET-based loader after decoy file execution.
## Associated Threat Actors
- Developer: Assessed to be of Vietnamese origin, operating under the pseudonym/GitHub profile established March 2025.
- General Association: Linked to the thriving cybercrime ecosystem in Southeast Asia known for distributing stealer malware targeting Facebook.
## Detection Methods
- Signature-based detection: [Not explicitly detailed, but likely signatureable based on specific file names and hash values once analyzed].
- Behavioral detection: Monitoring for the execution chain involving legitimate applications (`CapCut.exe`) proxying execution for unknown loaders or Python scripts. Monitoring file creation/execution in user profiles corresponding to known stages.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Prevention measures: User caution regarding unsolicited downloads advertised via social media, even when promising desirable content (like free AI tools).
- Hardening recommendations: Restricting or monitoring execution of known legitimate applications (`CapCut.exe`) if they are observed spawning secondary malicious processes or loading external payloads. Sandboxing or strictly controlling the execution of Python binaries downloaded from untrusted locations.
## Related Tools/Techniques
- XWorm: A RAT known to be bundled with Noodlophile for enhanced persistence.
- PupkinStealer: Another recently detailed .NET-based stealer using Telegram bots for exfiltration.
- Prior AI Lures: Campaigns using OpenAI's ChatGPT as a lure (mentioned historically by Meta).