There are plenty of free AI image and video generators out there, but some can be outright dangerous to use. If you end up using the wrong AI video generator, you’ll get a side of malware served with it.

AI Video Generators Are Distributing Malware

A new info-stealing malware called Noodlophile is hiding in fake AI video generators. Security experts at Morphisec discovered the campaign, claiming that these fake websites use names like “Dream Machine” and advertise their services on Facebook groups to attract more users.

The sites will ask you to upload a sample image that their AI will convert into a video and offer the result as a ZIP archive for download. If you’ve disabled file extensions in Windows File Explorer, the file will appear as an MP4 video file at first glance. In reality, it’s an executable file with a repurposed version of CapCut (version 445.0). The executable is also signed using a security certificate to evade suspicion.

If you double-click the fake MP4 to see the AI-generated video you just downloaded, it’ll open CapCut and run a batch script in the background. The batch script uses the legitimate Windows tool certutil.exe to extract a password-protected RAR archive impersonating a PDF file. It also adds a new registry key to Windows for persistent access to your system.

Finally, another process is executed, which runs a hidden Python script that loads the actual infostealer. The script also checks whether Avast antivirus is installed on the device. If yes, the infostealer is injected into the RegAsm.exe process, otherwise, it’s loaded into your system’s memory.

Once executed, Noodlophile can steal your browser data from major browsers, including Chrome, Edge, Brave, Opera, and other Chromium-based browsers you might have installed on your PC. If you’ve got any crypto wallet extensions installed, they get raided too.

Researchers found that in some cases, the Noodlophile infostealer was bundled with XWorm, a remote access trojan (RAT) that gives the hacker admin privileges on your system. They can then control your system or upload other malware freely.

All the stolen data is sent back to a Telegram bot that also doubles up as a command-and-control (C2) server for the infostealer. This also gives the hackers real-time access to the stolen data.

The best way of protecting yourself from such malware is to simply avoid using shady AI tools or any website that you don’t trust. We’ve got a list of the best AI video generators to get you started.

I would recommend you enable file extensions in Windows 11 to be able to see what kind of file you’re running. Hackers often add double extensions to files and rely on the user not being able to see the actual file extension, simply because this Windows setting is disabled by default.

Keep your OS and antivirus updated, don’t run files you randomly found on the internet without checking them, stick to legitimate and trusted web tools, and you’ll be good to go.