The Noodlophile malware campaign has evolved to use copyright infringement phishing emails targeting enterprises across the U.S., Europe, Baltic countries, and Asia-Pacific region, leveraging sophisticated spear-phishing tactics with company-specific reconnaissance data.
What happened
The threat actors behind Noodlophile malware have expanded their attack methodology to include advanced spear-phishing emails that pose as copyright infringement notices. These emails contain reconnaissance-derived details including specific Facebook Page IDs and company ownership information. The campaign, which has been active for over a year, now targets enterprises globally across multiple regions including the United States, Europe, Baltic countries, and the Asia-Pacific region.
The attack begins with phishing emails sent from Gmail accounts claiming copyright violations on specific Facebook Pages to create urgency. These emails contain Dropbox links that deliver ZIP or MSI installers. The malicious files use DLL sideloading with legitimate Haihaisoft PDF Reader binaries to deploy the obfuscated Noodlophile stealer. The malware establishes persistence through Windows Registry modifications using batch scripts.
The backstory
Morphisec previously detailed the Noodlophile campaign in May 2025, when attackers used fake AI-powered tools as lures advertised on social media platforms like Facebook. The use of copyright infringement lures follows a similar pattern identified by Check Point in November 2024, where a large-scale phishing operation targeted individuals and organizations with false copyright infringement claims to distribute the Rhadamanthys Stealer.
Going deeper
The current Noodlophile attacks demonstrate several advanced techniques:
- Telegram integration: The malware uses Telegram group descriptions as a dead drop resolver to fetch the actual command-and-control server (paste[.]rs) that hosts the stealer payload, making detection and takedown efforts more difficult.
- Legitimate software exploitation: The campaign leverages legitimate software vulnerabilities and uses legitimate binaries for DLL sideloading to avoid detection.
- Enhanced evasion: The attack builds on previous techniques including Base64-encoded archives and Living-off-the-Land Binary (LOLBin) abuse like certutil.exe, while adding layers of evasion through Telegram-based command-and-control and in-memory execution.
- Expanded capabilities: Analysis reveals ongoing development efforts to add screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history extraction.
What was said
Morphisec researcher Shmuel Uzan said, "The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information."
Uzan also explained, "This approach builds on the previous campaign's techniques (e.g., Base64-encoded archives, LOLBin abuse like certutil.exe), but adds layers of evasion through Telegram-based command-and-control and in-memory execution to avoid disk-based detection."
Morphisec stated, "The extensive targeting of browser data underscores the campaign's focus on enterprises with significant social media footprints, particularly on platforms like Facebook. These unimplemented functions indicate that the stealer's developers are actively working to expand its capabilities, potentially transforming it into a more versatile and dangerous threat."
In the know
Noodlophile is classified as an information stealer malware capable of capturing data from web browsers and gathering system information. The malware operates as a full-fledged stealer that focuses primarily on browser data extraction, making it dangerous for organizations with extensive online presences. Dead drop resolvers are techniques used by malware to dynamically locate command-and-control servers, making detection and disruption more challenging for security teams.
Why it matters
This evolution of the Noodlophile campaign represents a threat to healthcare organizations and other enterprises with substantial social media presences. The malware's focus on browser data extraction poses risks to organizations that manage patient communications, marketing, or public outreach through social platforms like Facebook. Healthcare entities often use social media for patient engagement and community outreach, making them prime targets for this type of attack. The campaign's use of company-specific information in phishing lures indicates intelligence gathering that could bypass traditional security awareness training, as employees may be more likely to trust emails that reference legitimate company assets like Facebook pages.
FAQs
Why do attackers use copyright infringement notices as phishing lures?
Because they create urgency and appear legitimate, prompting faster victim responses.
How do attackers gather company-specific details like Facebook Page IDs?
They collect publicly available information through reconnaissance of social media and business records.
What makes Telegram an attractive tool for malware command-and-control?
Its encrypted, widely used platform helps attackers blend in and resist takedowns.
How does Noodlophile’s use of living-off-the-land binaries (LOLbins) complicate defense?
It exploits trusted Windows tools like certutil.exe, making malicious activity appear routine.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
