This advanced campaign leverages copyright infringement claims as a social engineering lure to deliver an enhanced version of the previously documented information stealer.
The evolved Noodlophile campaign demonstrates a marked increase in sophistication compared to its predecessor, which exploited AI enthusiasm through fake platforms promising video generation services.
Current operations employ highly personalized spear-phishing emails that allege copyright violations on specific Facebook Pages, incorporating precise reconnaissance data, including Page IDs and company ownership information.
These fraudulent communications, often originating from Gmail accounts to evade initial suspicion, target key employees and generic corporate inboxes such as info@ and support@ addresses.
The multilingual nature of these campaigns, featuring content in English, Spanish, Polish, and Latvian, suggests potential AI-assisted localization capabilities.
Recipients are pressured through urgent legal threats to click malicious links disguised as evidence files, such as “View Copyright Infringement Evidence.pdf.”
Unlike the original campaign’s reliance on fake AI platforms and traditional malware deployment through ZIP archives containing deceptive executables, the current iteration exploits legitimate, signed applications vulnerable to DLL side-loading.
Targeted applications include Haihaisoft PDF Reader and Excel converters, with attackers implementing two innovative techniques: recursive stub loading and chained DLL vulnerabilities.
Payloads are distributed via Dropbox links masked by TinyURL redirects, containing archives with disguised artifacts, including batch scripts renamed as .docx files and self-extracting archives posing as .png files.
The side-loaded malicious DLLs establish persistence through registry modifications under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, while some variants download additional disguised files from remote servers.
The campaign introduces Telegram-based staging mechanisms, extracting URLs from Telegram group descriptions for dynamic payload execution.
Final stealers are hosted on platforms like paste.rs, complicating detection and takedown efforts. This approach builds upon previous techniques, including Base64-encoded archives and LOLBin abuse through certutil.exe, while adding in-memory execution to avoid disk-based detection.
The enhanced Noodlophile Stealer targets extensive browser-based data, including Web Data, AutoFills, cookies with particular focus on Facebook cookies, and credit card information through Chrome protection bypasses.
The malware’s codebase reveals placeholder functions for future capabilities, including screenshot capture, keylogging, and file encryption, indicating rapid development cycles and planned feature expansion.
| Sender Domain | Common Subjects | Key Phrases |
|---|---|---|
| gmail.com | Copyright Infringement Notice, Urgent Action Required | “Immediate Action Required”, “Legal Representatives”, “Facebook Page ID” |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Weaponized Copyright Documents Used by Threat Actors to Target Key Employees with Noodlophile Stealer appeared first on Cyber Security News.
I'm not entirely sure why the Pixel 10A exists. Google hasn't upgraded the chipset, cameras,…
Mobile gaming has come a long way over the course of the last decade or…
Adobe says it will pay $75 million to resolve a lawsuit filed by the US…
The Simpsons: Hit & Run remains one of the most beloved spinoffs in the franchise's…
Amazon is raising prices for Prime Video’s ad-free tier, which is also being rebranded as…
Lenovo is offering the lowest prices of the year on Xbox Series X wireless controllers,…
This website uses cookies.