Noodlophile Malware Campaign
Cybercriminals behind the Noodlophile malware have been waging an ongoing campaign targeting organizations in the U.S., Europe, the Baltics, and the Asia-Pacific region. By combining spear-phishing tactics with evolving delivery mechanisms, they aim to deploy a powerful information-stealing tool that continues to grow in sophistication.
Table of Contents
Spear-Phishing with a Twist
The campaign, active for over a year, has shifted toward spear-phishing emails disguised as copyright infringement notices. These emails are not generic; attackers tailor them using reconnaissance data such as Facebook Page IDs and company ownership details to increase credibility.
Earlier waves of the Noodlophile campaign, uncovered in May 2025, relied on fake AI-powered tools promoted through social media channels like Facebook. Now, the shift to copyright-related lures marks a new chapter in its evolution. Notably, similar strategies have been seen before: in November 2024, a large-scale phishing campaign used false copyright infringement claims to spread the Rhadamanthys Stealer.
Anatomy of the Attack Chain
The current operation begins with Gmail-originated phishing emails, designed to bypass suspicion while instilling urgency around alleged copyright violations. Within the email, a Dropbox link delivers either a ZIP or MSI file. Once executed, this installer sideloads a malicious DLL through legitimate Haihaisoft PDF Reader binaries. Before the Noodlophile stealer runs, batch scripts are used to create persistence by modifying Windows Registry entries.
A particularly evasive technique involves Telegram group descriptions, which act as a 'dead drop resolver' to point victims toward the actual payload server hosted on paste.rs. This method complicates detection and takedown efforts while enabling dynamic payload delivery.
Evasion Tactics Evolving
Building on earlier campaigns that leveraged Base64-encoded archives and LOLBins like certutil.exe, the current iteration adds:
- Telegram-based command-and-control channels
- In-memory execution techniques to evade disk-based detection
These innovations showcase a steady trend toward more sophisticated evasion mechanisms, making traditional defenses less effective.
Capabilities of Noodlophile
Noodlophile is not a simple stealer, it is a continuously evolving toolkit designed to exfiltrate a wide range of sensitive data. Current analysis shows it can:
- Extract browser data and system information.
- Harvest enterprise-related social media details, particularly from Facebook.
Ongoing code analysis reveals that the developers are working on expanding its functionality. Planned features include screenshot capture, keylogging, file exfiltration, process monitoring, network reconnaissance, file encryption, and detailed browser history extraction.
A Widening Enterprise Risk
The campaign's emphasis on browser and social media data highlights a deliberate strategy: to compromise enterprises with a strong online presence. With new functions under development, Noodlophile could evolve into a more versatile and dangerous threat, combining espionage, credential theft, and potentially even ransomware-like capabilities in the future.
