- Noodlophile Malware targets companies in the U.S., Europe, the Baltics, and Asia-Pacific with advanced phishing campaigns.
- Attackers use spear-phishing emails disguised as copyright infringement notices, often tailored with information from online reconnaissance.
- The campaign delivers malware using Dropbox links and legitimate software, with added evasion through Telegram channels.
- Noodlophile is designed to steal browser and system data and developers are expanding its capabilities.
- The operation highlights a focus on businesses with significant social media profiles, especially on Facebook.
A recent malware campaign targets enterprise organizations across the United States, Europe, the Baltic region, and Asia-Pacific. Threat actors are deploying the Noodlophile information stealer using spear-phishing emails made to look like copyright violation alerts. Attackers seek to trick employees into downloading malicious files by referencing real business and Facebook Page details.
Morphisec researcher Shmuel Uzan reported that the ongoing Noodlophile operation has shifted tactics over the past year. Attackers now send carefully crafted emails from Gmail accounts, which include links to files hosted on Dropbox. Recipients are urged to download ZIP or MSI installers that launch a sequence designed to avoid detection.
The process uses legitimate software, such as Haihaisoft PDF Reader, to sideload harmful DLL files. The attack also runs scripts to make sure the malware stays active on the infected system. According to Morphisec, the phishing chain stands out for using Telegram group descriptions to retrieve the server address Hosting the actual malware payload, increasing the campaign’s ability to evade shutdown efforts.
“This approach builds on the previous campaign’s techniques (e.g., Base64-encoded archives, LOLBin abuse like certutil.exe), but adds layers of evasion through Telegram-based command-and-control and in-memory execution to avoid disk-based detection,” Uzan said. Unlike earlier methods that primarily used fake Artificial Intelligence (AI) tools as bait, the current campaign demonstrates growth in both sophistication and scope.
Previous attacks with similar copyright lures delivered different malware, like Rhadamanthys Stealer. However, the current Noodlophile campaign uses new tricks, such as software vulnerabilities and obfuscated payload delivery through cloud and messaging services. The malware itself targets browser and system data, and it is under ongoing development to include functions like screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history collection.
Morphisec noted that the goal is to compromise businesses with large social media presences, especially those on Facebook. Planned enhancements to Noodlophile could make it a broader threat if development continues.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Apple Stock Climbs 9.7% Ahead of iPhone 17 and AI Event
- Akash Introduces Billing & Usage Dashboard for Credit Card Users
- MicroStrategy Faces New Wave of Ponzi Scheme Allegations Online
- ICP Plunges 7% as Support Crumbles, Institutional Interest Wanes
- Malicious PyPI Packages Uncovered: Supply Chain Risk for Python
