Artificial intelligence-powered video generators have become highly sought-after tools for content creators, marketers and technology enthusiasts. Their promise of automatically transforming text into video is irresistible, but some cybercriminals have found in this trend the perfect excuse to cheat. Under catchy names such as “Dream Machine”, fake platforms pretending to be advanced AI solutions have started to circulate, promoted in high-visibility groups on social networks such as Facebook.
Behind these supposed innovations hides Noodlphile, a dangerous new malware family designed to steal sensitive information, from passwords to banking credentials. This threat masquerades as video generators, tricking users into downloading malware under the guise of generated multimedia content.
While the use of AI as a hook to distribute malware is not new, recent research reveals that Noodlphile represents an evolution in the tactics employed by more experienced attackers.
Noodlphile is already making the rounds on dark web forums, where it is being offered as part of “Get Cookie + Pass” services (i.e., kits ready to steal passwords and sessions). Everything points to this being a new malware-as-a-service (MaaS) operation, and Vietnamese-speaking actors are behind it, suggesting that this is not an amateur experiment, but something well-organized.
Facebook ad leading users to malicious websites (Source: Morphisec)
Multi-stage infection chain
It all starts when the victim enters one of these fake sites and uploads his files believing that he will receive an AI-generated video. Soon after, he is offered a ZIP file that, in theory, contains that video.
But instead of the promised video, the ZIP brings an executable with a trick name: Video Dream MachineAI.mp4.exe. It also comes with a hidden folder full of files that the malware needs for the next stages of the infection. If you are on Windows and have file extensions turned off (you should always turn them on!), that file may look, at first glance, like an innocent MP4 video.
Although the name says “.mp4”, it is actually a 32-bit program written in C++, disguised to look legitimate. To make it even more convincing, it uses a fake certificate created with Winauth and relies on a modified version of CapCut, a real video editing app. This disguise not only fools the average user, but also helps to bypass some security solutions.
-1.webp?width=1024&height=552&name=site(1)-1.webp)
A DreamMachine site that drops payloads
How the hoax is triggered: Noodlphile malware stage-by-stage infection and in-memory execution
When someone double-clicks on that supposed MP4 file, what actually happens is that a chain of executables is launched behind the scenes. It all ends up triggering a script (called something like install.bat), which starts pulling the strings of the attack.
This script leverages a legitimate Windows tool called certutil.exe to decode a hidden RAR archive, which also comes in base64 format and password protected. To top it off, it disguises itself as if it were a simple PDF. In parallel, it also creates a new registry entry to ensure that the malware remains active every time the system starts.
Next, the attack launches another file called srchost.exe, which executes a Python script disguised inside a text file (randomuser2025.txt). That script is downloaded from a hidden remote server, and is what eventually loads Noodlphile directly into the computer's memory.
If the system has Avast installed, the malware tries to avoid detection using an advanced technique that injects the malicious code into the RegAsm.exe process. If it does not detect that antivirus, it uses another method: shellcode injection, a more direct way to execute the malware without leaving much trace.
Execution chain (source: Morphisec)
Read more: How and where do hackers hide their malware code?
What does Noodlphile actually do?
Noodlphile is a type of malware that is dedicated to stealing information stored in your browser. We're talking about important stuff like passwords, session cookies, login tokens and even cryptocurrency wallet files. Yes, all that stuff you wouldn't want to fall into the wrong hands.
This infostealer is relatively new; it hadn't shown up in typical public reports or malware trackers. It's sort of a “new recruit” in the world of cybercrime. What's curious (and worrisome) is that it doesn't just steal browser data: it can also extract files from crypto wallets and, in some cases, allow attackers to control your computer remotely.
All that stolen information doesn't go to a classic server (it's sent via a Telegram bot), which acts as a hidden operations center. This allows the attackers to receive the data in real time, as if they had a window open to your activity.
And there's more: in certain cases, Noodlphile comes bundled with XWorm, a Trojan that gives attackers remote access to your computer. So not only do they see what you have, they can also move around inside your system, steal more stuff or install other malicious programs. It's like leaving the door wide open for them.
How to protect yourself?
The most important thing here is prevention. Do not download files from unknown or suspicious sites, no matter how flashy they look. Always check the file extension before opening it. If you see something like .mp4.exe, stay away.
And very important: scan everything you download with an updated antivirus before double-clicking. It may sound like overkill, but it can save you a good scare (or the loss of your accounts and data).
