Malware Activity
Fake AI Video Generator Used to Download Infostealer Malware Noodlophile
Threat actors are leveraging the growing public interest in AI technologies by deploying a sophisticated campaign that distributes a new information-stealing malware called Noodlophile, disguised as AI-powered content creation tools. Promoted via deceptive social media posts and Facebook groups advertising platforms like “Dream Machine” or fake versions of CapCut AI, these campaigns lure users with promises of AI-generated video and image editing. When users interact with the sites, they are prompted to upload content and subsequently download a ZIP archive supposedly containing the generated media. Instead, the archive holds a malicious executable disguised as a video file ("Video Dream MachineAI.mp4.exe") that initiates a multi-stage infection chain. This process includes the use of a repurposed CapCut binary, batch scripts, and legitimate Windows utilities like "certutil.exe" to decode and deploy the final payload. The malware, loaded in memory via obfuscated Python code, is capable of harvesting browser credentials, cookies, session tokens, and cryptocurrency wallet data, with stolen information exfiltrated via a Telegram bot. In some instances, Noodlophile is also bundled with the XWorm remote access trojan (RAT) for persistent access. The malware has been linked to Vietnamese-speaking actors and is being offered as part of a malware-as-a-service (MaaS) operation on dark web forums, sometimes bundled with "Get Cookie + Pass" services. Noodlophile’s stealthy execution, lack of prior documentation, and use of real-time command-and-control (C2) channels like Telegram mark it as a significant new entrant in the infostealer landscape, while a parallel emergence of simpler threats like PupkinStealer highlights the broader trend of increasingly accessible cybercrime toolkits. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
Threat Actor Activity
Unauthorized Stock Market Trades Surge in Japan, Hackers Using Stolen Credentials
Japan's Financial Services Agency (FSA) reported a significant surge in unauthorized stock market trades in April, with almost $2 billion in funds illicitly moved by hackers. Updated figures reveal that nine (9) securities firms reported 2,746 fraudulent transactions through nearly 5,000 breached accounts in April alone. The hackers executed over $1 billion in sales and approximately $902 billion in purchases. For the first quarter of 2025, the FSA previously noted fraudulent transactions totaling $350 million in sales and $315 million in purchases across twelve (12) securities firms. These figures represent the total fraudulent transactions within compromised accounts. Typically, hackers access these accounts using stolen login credentials, sell stocks or securities, and reinvest the proceeds in domestic and foreign small-cap stocks. The hackers manipulate stock prices by using breached accounts to inflate the value of smaller stocks they own. Once the stock prices rise, they sell the stocks for profit. Cybersecurity experts have highlighted a recent increase in phishing campaigns in Japan, which likely contribute to these breaches. Researchers have pointed out that tools like ChatGPT enable hackers to create culturally tailored phishing emails. There has also been a recently released a report on CoGUI, a phishing kit popular among Chinese cybercriminals for stealing usernames, passwords, and payment information.
Vulnerabilities
ASUS Patrches Critical Vulnerabilities in DriverHub that Can Lead to RCE
ASUS has addressed two (2) high-severity vulnerabilities in its DriverHub software, tracked as CVE-2025-3462 (CVSS 8.4) and CVE-2025-3463 (CVSS 9.4), that could enable remote code execution (RCE) via maliciously crafted HTTP requests. Discovered by New Zealand-based researcher MrBruh, the flaws stem from improper origin and certificate validation in the software's communication with "driverhub.asus.com". Although ASUS claims that only motherboards are affected (not laptops or desktops) the vulnerabilities allowed unauthorized users to spoof subdomains like "driverhub.asus.com", exploit the UpdateApp endpoint, and execute arbitrary files silently with administrative privileges by manipulating the "AsusSetup.ini" configuration. DriverHub, which runs in the background and uses RPC and local APIs to manage driver updates, could be misused in one-click attacks by luring users to a malicious subdomain. Successful exploitation requires hosting a tampered "AsusSetup.ini" file, a payload, and a legitimate "AsusSetup.exe". ASUS patched the vulnerabilities on May 9, 2025, following responsible disclosure on April 8, and no evidence suggests active exploitation prior to the fix. CTIX recommends that any affected readers ensure that their drivers are up to date to prevent future exploitation.
- The Hacker News: ASUS DriverHub Vulnerabilies Article
- Security Week: ASUS DriverHub Vulnerabilies Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
