Cybercriminals are now using fake AI tools on social media to spread Noodlophile malware

Cybercriminals are using fake AI tools on social media to spread Noodlophile malware. According to a security expert, the malware can steal important information like browser credentials, cryptocurrency wallet information, and more.

The attackers make platforms with believable AI themes that can then be promoted on social media. These may look like real AI tools, but they are actually just fronts to get people to download malware that is hiding inside them.

Criminal AI-themed platforms are advertised via Facebook groups 

The main social media platform being used is Facebook. Fake AI platforms are luring millions of people who use AI-powered tools every day to make materials like art, music, and videos from photos. 

FAKE AI TOOLS ARE THE NEW NIGERIAN PRINCE — AND THEY’RE AFTER YOUR PASSWORDS

Think you’re downloading the next hot AI video editor?

Surprise — it’s malware in a trench coat.

Hackers are luring people with slick-looking Facebook ads for fake tools like “CapCut AI,” racking up… https://t.co/jOuVc15ZiH pic.twitter.com/hteD7bNuoE

— Mario Nawfal (@MarioNawfal) May 12, 2025

Morphisec researcher Shmuel Uzan said, “Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms – often advertised via legitimate-looking Facebook groups and viral social media campaigns.”

Links in these groups lead to the developer’s profile. Their  BIO reveals further involvement in malware sales and distribution.

When a user hits on a post, they are taken to what looks like free AI editing tools, where they are told to upload a picture or video. Then, they are told to download VideoDreamAI.zip, which looks like the AI tool but is actually a harmful ZIP file. This makes a Python code that makes it possible to use the Noodlophile Stealer.

When shared on Facebook, these posts have gotten as many as 62,000 views from just one post. Luma Dreammachine AI, Luma Dreammaching, and gratistuslibros are some of the fake social media pages that have been found.

In addition, an investigation of the term “Noodlophile” across cybercrime marketplaces uncovered groups offering it as part of malware-as-a-service (MaaS) schemes. Tools like Noodlophile are advertised alongside access services labeled “Get Cookie + Pass,” designed for account takeover and credential theft. 

Noodlophile Stealer talks to the attackers through a Telegram bot

In some cases, the data stealer has been joined with remote access Trojans like XWorm to gain even more power over the host’s computer and data. At the very end of the attack, it was found that the Noodlophile Stealer talks to the attackers through a Telegram bot, which is a secret way for them to send stolen data to other people

Cybercriminals like to use Telegram, which has more than 900 million daily users, to trade stolen databases, user credentials, credit card information, and other things. The site is also used by fraudsters to talk to each other, share hacking methods, and sell illegal goods.

As Cryptopolitan reported, the founder of Telegram, Pavel Durov, has been arrested because of the involvement of Telegram and illicit activities. However, Durov insisted that his company would rather exit a national market than disclose private messages.

“In its 12-year history, Telegram has never disclosed a single byte of private messages,” Durov reckoned. “In accordance with the EU Digital Services Act, if provided with a valid court order, Telegram would only disclose the IP addresses and phone numbers of criminal suspects, not messages.”

The Noodlophile malware is thought to have come from Vietnam, as shown by a GitHub page that calls the user “a passionate Malware Developer from Vietnam.” Also, he was observed responding to Facebook posts promoting this new method. Law enforcement officials say that cybercrime is particularly common in Southeast Asia and that Facebook has also been used in the past to spread stealer software.

KEY Difference Wire helps crypto brands break through and dominate headlines fast