#eviteGolpes for cryptocurrency theft

Among the identified fake pages are Luma Dreammachine AI, Luma Dreammachine, and gratistuslibros. The content offers supposed services for creating videos, images, logos, and websites using AI technology. One example is a fake site that presents itself as 'CapCut AI,' promising to be a complete video editor with functions based on artificial intelligence.

Users who interact with these posts fall into fraudulent websites, where they upload images or videos. Then, the site induces them to download a file named 'VideoDreamAI.zip.' Inside the compressed file, there is an executable disguised as 'Video Dream MachineAI.mp4.exe,' which initiates the installation of malware by executing a legitimate CapCut file.

The execution sequence also involves a .NET loader (CapCutLoader) and a Python binary (srchost.exe) downloaded from a remote server. The latter is responsible for installing the Noodlophile Stealer, malware designed to collect browser data, social media credentials, and cryptocurrency wallet information, facilitating the silent theft of cryptocurrencies.

In specific cases, the Noodlophile is also distributed along with the remote access trojan XWorm, allowing attackers to maintain prolonged control over the infected machines.