Noodlophile malware operation using copyright-related phishing tactics

The Noodlophile malware campaign, which has been active for over a year, is employing sophisticated spear-phishing emails to target enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region. According to Morphisec researcher Shmuel Uzan, these emails masquerade as copyright infringement notices and are customised with reconnaissance-derived details, such as specific Facebook Page IDs and company ownership information. The campaign previously utilised fake artificial intelligence (AI)-powered tools as lures, which were advertised on social media platforms like Facebook. However, the latest iteration of Noodlophile has evolved, incorporating legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution to enhance its effectiveness.

The attack begins with a phishing email designed to induce a false sense of urgency regarding alleged copyright violations on specific Facebook Pages. These emails originate from Gmail accounts to avoid raising suspicion. The messages contain a Dropbox link that delivers a ZIP or MSI installer, which subsequently sideloads a malicious DLL using legitimate binaries associated with Haihaisoft PDF Reader. This process ultimately launches the obfuscated Noodlophile stealer, while also executing batch scripts to establish persistence through the Windows Registry. Notably, the attack chain employs Telegram group descriptions as a dead drop resolver to retrieve the server hosting the stealer payload, thereby complicating detection and takedown efforts. Noodlophile is a comprehensive information stealer capable of capturing data from web browsers and gathering system information, with ongoing development aimed at expanding its capabilities, including screenshot capture, keylogging, file exfiltration, and browser history extraction.