According to Shmuel Uzan, a cybersecurity researcher at Morphisec, Noodlophile threat actors are shifting away from conventional phishing emails and cracked software distribution. Instead, they are building professional-looking websites and apps themed around AI.
Uzan explained:
“Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms, often advertised via legitimate-looking Facebook groups and viral social media campaigns.”
Source: Morphisec
These fake tools are actively promoted in Facebook groups frequented by digital creators, AI enthusiasts, and freelancers. Once a user clicks on the promoted content, they are redirected to a website that mimics an AI service. There, they are prompted to upload an image or video, followed by a download prompt for a file named VideoDreamAI.zip.
What appears to be a creative tool is actually a trojan horse. The ZIP file contains malicious Python code that executes the Noodlophile Stealer, silently stealing sensitive data in the background.
The most popular social media platform being leveraged for this campaign is Facebook, which has billions of active users. Hackers are taking advantage of the platform’s wide reach to push fake AI tools to unsuspecting victims.
Some of the fraudulent Facebook pages involved include:
A single post from one of these pages has received over 62,000 views, underscoring the scale of exposure. These pages are often filled with polished visuals and enticing claims about revolutionary AI tools, making them hard to distinguish from real startups.
Noodlophile Stealer is actually part of broader Malware-as-a-Service (MaaS) schemes. Sellers on these underground platforms bundle the malware with tools labeled “Get Cookie + Pass,” which are explicitly designed for account takeover and credential theft.
Once the malware is active on a victim’s system, it communicates with the attacker through Telegram bots, serving as a covert command-and-control channel. Telegram’s encrypted messaging and large user base, over 900 million daily users, make it a preferred medium for cybercriminals.
These bots silently exfiltrate browser credentials, saved passwords, session cookies, and even cryptocurrency wallet information to the attacker, all without the victim knowing.
There is strong evidence suggesting that the origins of Noodlophile can be traced back to Vietnam, where exploitation of old routers and similar equipment are common.
A GitHub page tied to the malware references a “passionate malware developer from Vietnam,” and the same individual was seen interacting with related Facebook content.
Southeast Asia, particularly Vietnam, has been identified as a hotspot for cybercrime activity, where platforms like Facebook are frequently used to spread stealer software and promote illicit software tools.
Source: X (@MarioNawfal)
Elsewhere, Telegram founder Pavel Durov commented on the entire ordeal, saying:
“In its 12-year history, Telegram has never disclosed a single byte of private messages.”
He emphasized that even under pressure, Telegram will comply only with court orders under the EU Digital Services Act and will not reveal message content, just IP addresses and phone numbers of suspects.
The rise of AI-themed malware campaigns like Noodlophile serves as a harsh reminder that cybercriminals are constantly evolving their tactics. With tools like Noodlophile Stealer, attackers are targeting people’s curiosity and trust in emerging technologies to steal sensitive data.
Users can protect themselves in the following ways:
As AI tools become more integrated into our daily workflows, it’s critical to approach new platforms with caution and skepticism.
Subscribe to stay informed and receive latest updates on the latest happenings in the crypto world!
Content Strategist
Subscribe to stay informed and receive latest updates on the latest happenings in the crypto world!
