The Noodlophile malware, known for stealing sensitive information and tracked by researchers for more than a year, has not faded but instead grown more sophisticated. Analysts say its operators are now refining spear-phishing techniques and upgrading delivery methods, pushing the threat deeper into organizations across the United States, Europe, the Baltics, and the Asia-Pacific.
Morphisec researcher Shmuel Uzan explains that the latest wave relies on phishing messages disguised as copyright violation alerts. Unlike generic spam, these emails are customized with reconnaissance-based details, such as Facebook Page identifiers and corporate ownership records, to increase their authenticity and convince recipients to act.
Attackers initially launch the operation by Gmail messages, which appear casual enough to avoid raising suspicion among employees. Recipients are then directed to Dropbox links that masquerade as supporting copyright claim documents designed to reinforce the legitimacy of the phishing lure. These links deliver either a ZIP archive or an MSI installer, which then sideloads a malicious DLL through legitimate programs like Haihaisoft PDF Reader. Before the Noodlophile stealer is activated, the malware runs batch scripts that modify the Windows Registry to secure persistence. To further complicate detection, operators leverage Telegram group descriptions as dead drop resolvers, redirecting compromised machines to payload servers hosted on services such as “paste[.]rs.”
Previous research has already revealed that the same threat actors used counterfeit artificial intelligence (AI) tools promoted via social media advertisements, exploiting the rising interest in AI to lure victims. The current campaign builds upon these earlier tactics, layering in-memory execution, obfuscation, and the abuse of trusted binaries on top of existing techniques. Analysts note that this evolution bears resemblance to widespread phishing operations uncovered in late 2024 that also exploited copyright-related themes.
Noodlophile is far more than a conventional stealer. While it already gathers browser credentials and system information, analysis of its code reveals work in progress toward additional features, including keylogging, screenshot capture, file exfiltration, process monitoring, and even file encryption. Researchers stress that its focus on browser and social media data indicates a deliberate attempt to infiltrate enterprises with strong online presences, particularly those relying heavily on Facebook.
Researchers express concern about how the steady progress of Noodlophile serves as a reminder of how quickly cybercriminals adapt, combining familiar social engineering tricks with legitimate services to sidestep defenses. Left to evolve, the stealer could easily develop into a broad-spectrum tool with the potential to disrupt operations on a large scale. Organizations are being urged to take preventive steps, train staff, tighten technical controls, and scrutinize unsolicited emails, as the campaign continues to advance.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
