Threat actors are observed as lures to leverage fake artificial intelligence (AI)-powered tools to seduce users to download information steeler malware called nude lofils.
“Instead of relying on traditional phishing and cracked software sites, they build compelling, AI-themed platforms, which are often promoted through legitimately-looking Facebook groups and virus social media campaigns.”
The posts shared on these pages are known to attract over 62,000 views in a single post, indicating that users looking for AI tools for video and image editing are the targets of this campaign. Fake social media pages identified include Luma Dreammachine AL, Luma Dreammachine, and Gratistuslibros.
Users who land on social media posts are encouraged to click on links that promote AI-powered content creation services, such as videos, logos, images, and even websites. One of the fake websites is spoofing Capcut AI and offers users an “all-in-one video editor with new AI capabilities.”
When an unsuspecting user uploads an image or video prompt to these sites, the expected AI will be asked to download the generated content, and at that point a malicious zip archive (“videodreamai.zip”) will be downloaded instead.
Residing in the file is a deceptive file named “Video dream machineai.mp4.exe” which kicks off the infection chain by launching a legitimate binary associated with Bytedance’s video editor (“Capcut.exe”). This C++-based executable is used to run a .NET-based loader named CapCutloader that will eventually load the Python payload (“srchost.exe”) from a remote server.
Python binaries pave the way for the deployment of noodle sturlers with the ability to harvest browser credentials, cryptocurrency wallet information, and other sensitive data. Selected instances bundled steelers with remote access trojans like Xworm for colonization access to infected hosts.
The noodle developers are rated as Vietnamese origins, and they claim to be “Vietnamese passionate malware developers.” The account was created on March 16th, 2025. It is worth pointing out that Southeast Asian nations have a thriving cybercrime ecosystem with a history of distributing various steeler malware families targeted at Facebook.
Bad actors weaponizing public interest in AI technology for their interests is not a new phenomenon. In 2023, Meta said that since March 2023, it had abolished the sharing of more than 1,000 malicious URLs across services that have been found to utilize Openai’s ChatGPT as a lure to propagate around 10 malware families.
As Cyfirma detailed another new .NET-based steeler malware family codename PupkinStealer, disclosures can steal a wide range of data from compromised Windows systems and extend it to attacker-controlled telegram bots.
“Because of the lack of specific anti-analytical defenses or persistent mechanisms, PupkinStealer relies on simple executions and modest behavior to avoid detection during its operation,” the cybersecurity company said. “PupkinStealer illustrates a simple and effective form of simple, effective malware that leverages the behavior of a common system and the widely used platform to extend sensitive information, leveraging the widely used platform.”
Source link
