The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region.
“The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information,” Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News.
Noodlophile was previously detailed by the cybersecurity vendor in May 2025, uncovering the attackers’ use of fake artificial intelligence (AI)-powered tools as lures to propagate the malware. These counterfeit programs were found to be advertised on social media platforms like Facebook.
That said, the adoption of copyright infringement lures is not a new development. Back in November 2024, Check Point uncovered a large-scale phishing operation that targeted individuals and organizations under the false premise of copyright infringement violations to drop the Rhadamanthys Stealer.
But the latest iteration of the Noodlophile attacks exhibits notable deviation, particularly when it comes to the use of legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution.
It all starts with a phishing email that seeks to trick employees into downloading and running malicious payloads by inducing a false sense of urgency, claiming copyright violations on specific Facebook Pages. The messages originate from Gmail accounts in an effort to evade suspicion.
Present within the message is a Dropbox link that drops a ZIP or MSI installer, which, in turn, sideloads a malicious DLL using legitimate binaries associated with Haihaisoft PDF Reader to ultimately launch the obfuscated Noodlophile stealer, but not before running batch scripts to establish persistence using Windows Registry.
What’s notable about the attack chain is that it leverages Telegram group descriptions as a dead drop resolver to fetch the actual server (“paste[.]rs”) that hosts the stealer payload to challenge detection and takedown efforts.
“This approach builds on the previous campaign’s techniques (e.g., Base64-encoded archives, LOLBin abuse like certutil.exe), but adds layers of evasion through Telegram-based command-and-control and in-memory execution to avoid disk-based detection,” Uzan said.
Noodlophile is a full-fledged stealer that can capture data from web browsers and gather system information. Analysis of the stealer source code indicates ongoing development efforts to expand on its capabilities to facilitate screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history extraction.
“The extensive targeting of browser data underscores the campaign’s focus on enterprises with significant social media footprints, particularly on platforms like Facebook,” Morphisec said. “These unimplemented functions indicate that the stealer’s developers are actively working to expand its capabilities, potentially transforming it into a more versatile and dangerous threat.”
