A sophisticated phishing campaign has emerged targeting enterprises with significant social media footprints, leveraging weaponized copyright infringement notices to deliver the evolved Noodlophile Stealer malware.
This highly targeted threat represents a significant escalation from previous iterations, exploiting enterprises’ reliance on social media platforms through meticulously crafted spear-phishing emails that allege copyright violations on specific Facebook Pages.
The campaign demonstrates unprecedented precision in its targeting methodology, with threat actors conducting extensive reconnaissance to gather specific details including Facebook Page IDs and company ownership information.
These personalized attacks primarily target key employees and generic organizational inboxes such as info@ and support@, creating a sense of urgency through legal threats that pressure recipients into clicking malicious links disguised as evidence files.
Morphisec analysts identified that this evolved campaign employs multilingual content spanning English, Spanish, Polish, and Latvian, potentially leveraging artificial intelligence for localization and broader global reach.
.webp "Threat Actors Attacking Organizations Key Employees With Weaponized Copyright Documents to Deliver Noodlophile Stealer 3")
The sophistication extends beyond simple email lures, incorporating legitimate software vulnerabilities and obfuscated staging mechanisms that significantly complicate detection efforts.
Unlike its predecessor, that relied on fake AI video generation platforms, the current Noodlophile variant exploits legitimate, digitally signed applications vulnerable to DLL side-loading, including Haihaisoft PDF Reader and Excel converters.
The malware operators have developed two innovative exploitation techniques: recursive stub loading and chained DLL vulnerabilities, both designed to execute malicious code covertly within trusted processes.
Advanced Delivery and Persistence Mechanisms
The malware’s delivery mechanism represents a masterclass in evasion techniques, utilizing Dropbox links masked by TinyURL redirects to distribute payloads.
These archives contain carefully disguised artifacts, including batch scripts renamed as .docx files and self-extracting archives posing as .png files, executed through malicious libraries loaded within legitimate applications.
Following successful DLL side-loading, the campaign introduces an intermediate staging process where malicious DLLs rename additional files to reveal BAT scripts and portable Python interpreters.
The persistence mechanism operates through registry modifications under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, establishing execution via cmd.exe commands that launch Python interpreters with malicious scripts.
The enhanced obfuscation layer extracts URLs from Telegram group descriptions, enabling dynamic payload execution while hosting final stages on platforms like paste.rs.
This Telegram-based command-and-control infrastructure, combined with in-memory execution capabilities, significantly complicates traditional disk-based detection methods and represents a concerning evolution in stealer deployment strategies.
The Noodlophile Stealer’s current capabilities focus extensively on browser-based data theft, targeting web credentials, autofill data, and Facebook cookies through sophisticated SQL queries.
Its codebase reveals placeholder functions indicating planned expansions into screenshot capture, keylogging, and potential EDR bypass mechanisms through AMSI and ETW tampering.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
