Hackers are preying on the growing interest in AI tools to spread malware designed to steal cryptocurrency and sensitive user data. The malware, known as “Noodlophile Stealer,” is being distributed through fake AI-powered platforms on social media sites like Facebook.
These fake platforms claim to offer AI-driven image and video editing tools, often with catchy names like “Luma Dreammachine AI” or “VideoDreamAI.” They use attractive interfaces and engage in viral marketing campaigns to lure victims. Once a user clicks on a promotional post, they’re redirected to a site that asks them to upload a file and download a ZIP file, which contains the malicious code.
When executed, the malware installs the Noodlophile Stealer on the victim’s device, allowing hackers to extract sensitive information, including login credentials and cryptocurrency wallet data. The malware can also communicate with attackers through Telegram bots, sending stolen data via encrypted channels.
Malware-as-a-Service
The Noodlophile Stealer is part of a larger Malware-as-a-Service (MaaS) scheme, where cybercriminals sell or rent malicious tools on underground markets. These tools include services like “Get Cookie + Pass,” designed to facilitate account takeover and credential theft. In some cases, the malware is combined with remote access Trojans like XWorm, giving attackers even more control over compromised devices.
A search for “Noodlophile” on cybercrime platforms revealed active communities offering this tool as part of ready-to-deploy packages. The main developer is believed to be from Vietnam, based on a GitHub account that describes them as a “passionate malware developer” from the country.
Telegram Under Scrutiny
Telegram, with over 900 million daily active users, has become a hub for cybercriminal activity. The platform is used to share stolen databases, sell hacking methods, and organize illegal operations. Pavel Durov, Telegram’s founder, has stated that the company refuses to share private messages, even if it means leaving a national market.
Under the EU’s Digital Services Act, Telegram will only hand over IP addresses and phone numbers with a valid court order, but never the content of messages. Authorities have warned that cybercrime is particularly prevalent in Southeast Asia, where platforms like Facebook have been used to distribute similar malware in the past.
Staying Safe
Experts recommend being cautious when downloading files from social media, especially if they’re promoted in open groups. Users should be wary of tools that ask them to download ZIP or executable files without proper verification. As AI-powered tools continue to gain popularity, it’s likely that cybercriminals will keep exploiting this trend to spread malware.