A new sophisticated cyber-attack campaign is taking advantage of the surge of interest in artificial intelligence (AI) to spread malware, which is highlighted by the previously undocumented Noodlophile Stealer information-stealing malware, combined with the remote-access trojan XWorm. Hackers create websites that forge AI – based video platforms, tapping into users’ psychological inquisitiveness and need to use free AI tools.

The campaign began by promoting fake websites through Facebook groups or viral posts, which attracted tens of thousands of views. The user is invited to upload photos or videos for “AI to process”, then asked to download a ZIP file containing “an AI – generated video”. In fact, inside is a malicious executable file with misleading names such as Video Dream MachineAI.mp4.exe, using hidden file extensions to fool users. Opening the file will immediately activate the malicious code.

Noodlophile Stealer is a malware dedicated to stealing sensitive data, including login information, browser cookies, cryptocurrency wallets, session tokens, and important files on the victim’s machine. The notable feature is that the malware uses the Telegram bot as a control and data collection channel, helping hackers to remain anonymous and avoid traditional surveillance mechanisms.

In more dangerous variants, Noodlophile is implemented with XWorm – a modular remote access trojan. XWorm is capable of injecting code into the system process, hiding operations using PE hollowing, self – replication, and horizontal movement in the local network. The infection chain is designed in multiple layers with sophisticated camouflage files, from app forged files, Office documents, PDFs to Python scripts that are encrypted and executed directly in memory in order to avoid security analysis.

The final stage of the attack uses a payload driver to inject Noodlophile (and the option to add XWorm) directly into memory, helping the malicious code to work silently without leaving a trace on the drive. Indications suggest the campaign may be related to the malware-as-a-service model, most likely stemming from a Vietnamese-speaking agent operating on the black market.

In the face of this threat, users are advised to be extremely wary of unidentified free AI platforms, especially those that require an executable file download. Careful checking of the source, file format, and avoidance of running.exe files from unreliable websites are key to reducing the risk of data theft and system intrusion.