The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region.
“The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information,” Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News.
Noodlophile was previously detailed by the cybersecurity vendor in May 2025, uncovering the attackers’ use of fake artificial intelligence (AI)-powered tools as lures to propagate the malware. These counterfeit programs were found to be advertised on social media platforms like Facebook.
That said, the adoption of copyright infringement lures is not a new development. Back in November 2024, Check Point uncovered a large-scale phishing operation that targeted individuals and organizations under the false premise of copyright infringement violations to drop the Rhadamanthys Stealer.
But the latest iteration of the Noodlophile attacks exhibits notable deviation, particularly when it comes to the use of legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution.
It all starts with a phishing email that seeks to trick employees into downloading and running malicious payloads by inducing a false sense of urgency, claiming copyright violations on specific Facebook Pages. The messages originate from Gmail accounts in an effort to evade suspicion.
Present within the message is a Dropbox link that drops a ZIP or MSI installer, which, in turn, sideloads a malicious DLL using legitimate binaries associated with Haihaisoft PDF Reader to ultimately launch the obfuscated Noodlophile stealer, but not before running batch scripts to establish persistence using Windows Registry.
What’s notable about the attack chain is that it leverages Telegram group descriptions as a dead drop resolver to fetch the actual server (“paste[.]rs”) that hosts the stealer payload to challenge detection and takedown efforts.
“This approach builds on the previous campaign’s techniques (e.g., Base64-encoded archives, LOLBin abuse like certutil.exe), but adds layers of evasion through Telegram-based command-and-control and in-memory execution to avoid disk-based detection,” Uzan said.
Noodlophile is a full-fledged stealer that can capture data from web browsers and gather system information. Analysis of the stealer source code indicates ongoing development efforts to expand on its capabilities to facilitate screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history extraction.
“The extensive targeting of browser…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
