Noodlophile malware resurfaces in job-themed phishing campaign

Researchers say the infostealer campaign has shifted from fake AI tools to employment-themed lures targeting job seekers.

What happened

Threat actors behind the Noodlophile infostealer have shifted tactics from fake AI video generator websites to phishing campaigns posing as job opportunities and skills assessments. According to CyberPress, researchers who first identified the malware in May 2025 observed attackers targeting job seekers, students, and digital marketers with fraudulent employment offers. Victims are directed to realistic application forms or technical tests that secretly install malware designed to steal login credentials and cryptocurrency wallet data. The activity has also been linked to the Vietnamese threat group UNC6229, previously identified by Google Cloud researchers as operating in this campaign space.

Going deeper

Noodlophile’s latest version shows clear efforts to avoid detection and slow security analysis. The malware contains a Vietnamese phrase intentionally added to increase file size and interfere with some AI analysis tools that rely on Python disassembly. It also performs self integrity checks, meaning it refuses to run if analysts modify or inspect the file. To hide its behavior, the malware uses the DJB2 hashing algorithm, which converts readable text into numbers so system functions are called dynamically instead of appearing in plain view. Its command file is protected using RC4 encryption, a method that scrambles data to conceal instructions, while remaining text is hidden with XOR encoding, a reversible mathematical technique used to disguise readable strings. Together, these methods make the malware harder for security tools to analyze or detect using traditional scanning techniques.

What was said

Google Cloud researchers say “fake career” phishing campaigns remain highly effective because they exploit normal job-seeking behavior and professional communication habits. The group UNC6229 is expected to continue refining these tactics and expand targeting into industries where employees have access to sensitive corporate systems or data. Researchers also warned that attackers are increasingly abusing legitimate Software-as-a-Service (SaaS) and Customer Relationship Management (CRM) platforms, meaning trusted business tools are being used to deliver malware or steal credentials, making the campaigns more difficult for traditional security defenses to detect.

In the know

According to Hackread, researchers have also uncovered another job-themed phishing tactic in which attackers impersonate well-known brands like Red Bull, KFC, and Ferrari to steal Facebook credentials. The campaign uses emails sent through services such as Google Workspace and Microsoft 365 that link to fake job listings mimicking platforms like Glassdoor. Researchers noted the identical structure of the emails, suggesting the use of templates or large language models to generate convincing bait at scale. Victims who attempt to apply are redirected to a fake login flow, and once credentials are entered, a looping screen appears while the data is silently captured.

The big picture

As attackers use AI to craft highly personalized job lures, they exploit a workforce that is increasingly “desensitized” to traditional warning banners and phishing simulations. With 86% of IT leaders reporting that their current security tools cause significant workflow friction, staff are 41% more likely to bypass official channels to maintain productivity, unwittingly opening the door to infostealers. Because only 1.1% of healthcare organizations have fully optimized their email security posture, these automated scams represent a persistent threat to an industry where, as Paubox Chief Compliance Officer Rick Kuwahara warns, “confidence without clarity is what gets organizations breached.”

FAQs

Why are job postings an effective malware lure?

Job applications often require document downloads or skill assessments, which creates a plausible reason for victims to open files that would otherwise seem suspicious.

What is an infostealer?

An infostealer is malware designed to extract sensitive data such as usernames, passwords, browser cookies, and cryptocurrency wallet keys from an infected device.

How does DJB2 hashing help malware avoid detection?

DJB2 hashing hides readable function names by converting them into numerical values that are resolved during execution, making static code inspection more difficult.

Why are anti-analysis techniques needed?

Self-validation checks and encryption layers prevent security researchers and automated tools from easily examining how the malware works, slowing detection and response efforts.

What should security teams monitor in response to this trend?

Organizations should watch for suspicious recruitment-themed messages, unexpected executable downloads during hiring workflows, and unusual outbound communications to messaging platforms that may signal credential exfiltration.