In 2026, the hunger for instant AI-generated content has never been stronger. Creators, marketers, and casual tinkerers are flocking to free tools that promise to turn a simple image into a stunning video within seconds. But a persistent threat from 2025 is still lurking in the shadows, and it is far from harmless. Imagine downloading what looks like a perfect AI-crafted clip, only to find out that your browser passwords, cryptocurrency wallets, and even full control of your PC have been handed over to a stranger. That is exactly what the Noodlophile info-stealer has been doing, and its fake AI video generators remain surprisingly convincing.

think-that-free-ai-video-generator-is-safe-noodlophile-malware-says-otherwise-image-0

Security researchers at Morphisec first uncovered the campaign when they noticed a new breed of malware crawling through Facebook groups. The bait? Websites mimicking popular and legitimate AI video tools, often using names like "Dream Machine" to sound cutting-edge. The trap is elegantly simple: you are asked to upload a sample image that the AI will supposedly convert into a video. When the processing is complete, the site cheerfully offers a ZIP archive for download. But here is the kicker—your excitement to see the result is precisely what the attackers are counting on. Can you guess what is inside that archive?

It is not an MP4 file. Because Windows hides file extensions by default, most people see a video icon and a ".mp4" type label, but the actual file is an executable. The attackers go the extra mile to make it look legitimate: they bundle a repurposed version of CapCut (version 445.0) and have the executable signed with a valid security certificate. In the frantic moment of double-clicking what you believe to be your freshly generated video, you set off a chain reaction that the naked eye would never detect. CapCut opens to keep you distracted, while a batch script works silently in the background.

The batch script then calls certutil.exe, a perfectly legitimate Windows tool, to extract a password-protected RAR archive that is disguised as a harmless PDF file. At the same time, a new registry key is injected into Windows to make sure the malware comes back to life every time you restart your system. Has your antivirus flagged anything yet? Probably not. The final stage involves executing a hidden Python script that loads the real Noodlophile infostealer. This script even checks whether Avast antivirus is installed. If Avast is present, the stealers is carefully injected into the RegAsm.exe process to stay under the radar; otherwise, it is loaded straight into the system's memory.

So what exactly gets stolen? The scope is terrifying. Noodlophile rifles through data from every major browser you might have on your machine—Chrome, Edge, Brave, Opera, and any other Chromium-based sibling. Your saved passwords, autofill details, and browsing history become an open book. If you have cryptocurrency wallet extensions installed, they get raided without mercy. The attackers are not just after a few passwords; they want your crypto keys, and in some cases documented by the researchers, Noodlophile comes bundled with XWorm, a remote access trojan (RAT) that gives the hacker admin-level privileges. From that point, an attacker can upload additional malware, steal files, or even watch your screen in real time.

think-that-free-ai-video-generator-is-safe-noodlophile-malware-says-otherwise-image-1

What makes Noodlophile exceptionally sneaky is its command-and-control backbone. All the stolen data is sent back to a Telegram bot, which doubles as a real-time communication channel for the attacker. This means the hacker receives your information practically the moment it is captured, and they can issue new commands without standing up complex infrastructure. How many people, in their eagerness to try the latest AI trick, would stop to wonder if a video file is secretly an executable?

By 2026, the trend of weaponizing AI curiosity is only accelerating. Attackers know that creators are hungry for free, high-quality tools, and they are refining their social engineering tactics. Facebook groups and other social platforms remain a fertile ground for spreading links to these malicious sites. A user sees a post showing an impressive AI-generated clip, clicks on the tool that made it, and falls straight into the trap. The entire setup feels authentic because the scammers have done their homework—they use real names, clone familiar interfaces, and even offer a seemingly working demo until the moment your machine is compromised.

Now the critical question: how can a regular person stay safe while still enjoying the creative power of AI? The answer is not to abandon AI altogether but to adopt a few simple habits that break the attack chain. First, never rely on a piece of software just because it popped up in a social media ad. Stick with well-known AI video generators that have a transparent track record and a genuine online presence. If you are unsure, a quick search for independent reviews will usually reveal whether a tool is legitimate or a wolf in sheep's clothing.

Second, enable file extensions in Windows immediately. This one setting change—showing the full file name, including the real extension—is like a flashlight in the dark. An executable pretending to be a video will suddenly show its true nature with a ".exe" at the end, no matter how cleverly the icon was designed. In Windows 11, you can turn this on by opening File Explorer, clicking "View," and checking the box for "File name extensions." It takes five seconds and could save you from a world of pain.

Third, keep your operating system and antivirus software fully updated. While no antivirus is foolproof, the Noodlophile attack makes extra effort to avoid Avast specifically because many people still use it. Modern security suites are catching up to these evasion techniques, but they can only protect you if you allow them to install the latest definitions. Finally, exercise a healthy dose of suspicion for any file that arrives as a ZIP archive from an unfamiliar website. Even if it claims to be a video, use the extension visibility trick and, if in doubt, scan the file with an online virus scanner before opening it.

The rise of Noodlophile is a clear reminder that behind the shiny surface of free AI tools, some doors should never be opened. The next time you see a link promising to turn your cat photo into a Pixar-style short film in seconds, ask yourself: am I about to feed my creativity, or am I about to feed a cybercriminal?