As AI-powered content creation reaches new heights of popularity, cybercriminals are leveraging the technology’s mainstream appeal to orchestrate a sophisticated new malware campaign.
Security researchers have uncovered an operation where attackers deploy fake AI video and image generation platforms to distribute a previously undocumented infostealer dubbed Noodlophile Stealer, often in tandem with remote access trojans like XWorm.
Social Media to Stealthy System Compromise
The campaign exploits the public’s eagerness for free AI content tools by circulating links to fraudulent AI sites-primarily through Facebook groups and viral social media posts.

Many of these posts amass tens of thousands of views, luring in creators and small businesses looking for the latest technology.
Once users arrive on the fake website, they are prompted to upload images or videos, purportedly for AI-powered processing.
Instead of delivering the promised AI-generated content, the platform serves up a ZIP archive containing a malicious payload named to resemble a legitimate video file (e.g., Video Dream MachineAI.mp4.exe).
When executed, this file initiates a multi-stage infection chain specifically engineered for evasion and persistence.
The dropper masquerades as a signed executable, leveraging both C++ and .NET components, and uses legitimate-appearing software elements such as “CapCut.exe” and “AICore.dll” to facilitate malware deployment.
The infection process includes several sophisticated techniques:
- Obfuscation of malicious batch scripts within files disguised as Word documents.
- Use of password-protected and Base64-encoded RAR archives.
- Memory-only execution of Python-based malware routines, minimizing disk artifacts and complicating analysis.
These stages culminate in the installation of Noodlophile Stealer-which systematically harvests browser credentials, cookies, cryptocurrency wallets, and sensitive system data-and, in some cases, the deployment of XWorm 5.2, a remote access trojan employing advanced in-memory injection and process hollowing strategies to increase persistence and evade traditional security tools.
Threat Actor Tactics, Attribution, and Ecosystem
Open-source intelligence (OSINT) efforts indicate that “Noodlophile Stealer” has appeared for sale on underground forums as part of a malware-as-a-service (MaaS) offering.
The developer, believed to be of Vietnamese origin, has been directly observed promoting the malware in Facebook groups and responding to posts seeking access to AI content generation tools.
According to Morphisec Report, the campaign is further amplified by a network of interconnected pages and Telegram bots used for exfiltrating stolen data.
The operation’s modular design, heavy reliance on social engineering, and use of layered obfuscation techniques highlight a notable evolution in infostealer and RAT delivery.
By targeting users through new and trusted technology themes (AI video and image generation), the attackers sidestep traditional defenses and exploit the curiosity and productivity needs of a broader, less security-savvy user base.
Given the malware’s ability to evade static and behavioral detection, advanced endpoint protection and zero-trust principles-such as those provided by automated moving target defense (AMTD) technology-are recommended to block early-stage infiltration.
Organizations should routinely educate employees about social engineering tactics, especially those that exploit emerging trends like generative AI, and monitor for indicators of compromise described below.
Indicators of Compromise (IOC)
IOC Type | Value/Description |
---|---|
Domains/URLs | http://lumalabs-dream[.]com/VideoLumaAI.zip |
https://luma-dreammachine[.]com/LumaAI.zip | |
https://luma-dreammachine[.]com/File_Successful.zip | |
https://luma-aidreammachine[.]com/Creation_Luma.zip | |
https://85.209.87[.]207/sysdi/randomuser2025.txt | |
http://160.25.232[.]62/bee/bee02_ads.txt | |
IPs | 149.154.167.220 (Telegram APIs) |
103.232.54[.]13:25902 (C2 – XWorm 5.2) | |
Telegram | 7882816556:AAEEosBLhRZ8Op2ZRmBF1RD7DkJIyfk47Ds (randomuser2025 token) |
7038014142:AAHF3pvRRgAVY5vP4SU6B2YES4BH1LEhtNo (bee02_ads token) | |
Chat IDs | 4583668048, 4685307641, 4788503251 (randomuser2025) |
1002565449208, 1002633555617 (bee02_ads) | |
File Hashes | 5c98553c45c9e86bf161c7b5060bd40ba5f4f11d5672ce36cd2f30e8c7016424 |
67779bf7a2fa8838793b31a886125e157f4659cda9f2a491d9a7acb4defbfdf5 (VideoDreamAI.zip) | |
11C873CEE11FD1D183351C9CDF233CF9B29E28F5E71267C2CB1F373A564C6A73 (randomuser2025) | |
32174d8ab67ab0d9a8f82b58ccd13ff7bc44795cca146e61278c60a362cd9e15 (LumaAI.zip) | |
86d6dd979f6c318b42e01849a4a498a6aaeaaaf3d9a97708f09e6d38ce875daa (File_Generated.zip) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates