The Noodlophile malware campaign has significantly broadened its scope, now targeting enterprises across the United States, Europe, the Baltic region, and the Asia-Pacific (APAC) area. Cybersecurity firm Morphisec reports that the attackers are employing sophisticated spear-phishing emails disguised as copyright infringement notices. These emails are meticulously crafted using reconnaissance data, including specific Facebook Page IDs and company ownership details, to enhance their credibility.
Initially, in May 2025, Morphisec identified that the Noodlophile campaign utilized counterfeit artificial intelligence (AI) tools to distribute malware. These deceptive tools were promoted through social media platforms like Facebook, luring users into downloading malicious software. The current strategy, however, marks a shift towards exploiting copyright infringement themes to deceive recipients.
This tactic isn’t entirely new. In November 2024, Check Point uncovered a large-scale phishing operation that used false copyright violation claims to deploy the Rhadamanthys Stealer. However, the latest Noodlophile attacks introduce several advanced techniques, including the exploitation of legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution.
Attack Methodology:
1. Phishing Emails: The campaign begins with emails that create a sense of urgency by alleging copyright violations on specific Facebook Pages. These messages, sent from Gmail accounts to avoid suspicion, prompt recipients to download and execute malicious payloads.
2. Malicious Links: The emails contain Dropbox links leading to ZIP or MSI installers. When executed, these installers sideload a malicious DLL using legitimate binaries from Haihaisoft PDF Reader. This process ultimately launches the obfuscated Noodlophile stealer.
3. Persistence Mechanisms: Before activating the stealer, batch scripts run to establish persistence by modifying the Windows Registry, ensuring the malware remains active on the infected system.
4. Evasion Techniques: A notable aspect of this attack chain is the use of Telegram group descriptions as dead drop resolvers. This method fetches the actual server (paste[.]rs) hosting the stealer payload, complicating detection and takedown efforts.
Morphisec researcher Shmuel Uzan highlights that this approach builds upon previous techniques, such as Base64-encoded archives and the abuse of living-off-the-land binaries (LOLBin) like certutil.exe. The addition of Telegram-based command-and-control and in-memory execution further enhances evasion, making disk-based detection more challenging.
Capabilities of Noodlophile Stealer:
Noodlophile is a comprehensive information stealer capable of:
– Capturing data from web browsers.
– Collecting system information.
Analysis of its source code indicates ongoing development to expand its functionalities, potentially including:
– Screenshot capture.
– Keylogging.
– File exfiltration.
– Process monitoring.
– Network information gathering.
– File encryption.
– Browser history extraction.
Morphisec notes that the stealer’s focus on browser data underscores its targeting of enterprises with significant social media presences, particularly on platforms like Facebook. The unimplemented functions suggest that the developers are actively working to enhance its capabilities, potentially transforming it into a more versatile and dangerous threat.
Recommendations for Enterprises:
Given the evolving nature of the Noodlophile campaign, enterprises are advised to:
– Educate Employees: Conduct regular training sessions to help employees recognize phishing attempts, especially those involving urgent copyright infringement claims.
– Implement Email Filtering: Utilize advanced email filtering solutions to detect and block phishing emails before they reach employees’ inboxes.
– Monitor Network Traffic: Keep an eye on network traffic for unusual activities, such as connections to known malicious domains or unexpected data exfiltration.
– Update Software Regularly: Ensure that all software, especially commonly exploited applications like PDF readers, are updated to their latest versions to mitigate vulnerabilities.
– Limit Use of External Links: Encourage employees to avoid clicking on links from unknown or unverified sources, particularly those received via email.
By adopting these measures, organizations can enhance their defenses against sophisticated malware campaigns like Noodlophile and protect their sensitive information from being compromised.
