Beyond the Inbox: How a New Phishing Campaign Leverages Copyright Claims to Deliver Noodlophile Malware

The Noodlophile malware campaign has entered a new phase, steadily expanding its reach across more countries. Morphisec researcher Shmuel Uzan has reported that attackers have shifted to using phishing emails disguised as copyright infringement notices, while introducing new mechanisms for delivering malicious payloads. Targets include organizations in the United States, Europe, the Baltic states, and the Asia-Pacific region.

Previously, Noodlophile was distributed through fraudulent AI services advertised on Facebook. Now, cybercriminals are exploiting the credibility of copyright violation alerts, embedding authentic social media page identifiers and company ownership details to enhance the illusion of legitimacy.

Emails are dispatched from Gmail accounts to evade suspicion and contain Dropbox links leading to ZIP archives or MSI installers. These files trigger a DLL sideloading technique, where the legitimate Haihaisoft PDF Reader executable loads a malicious DLL. Before activating the stealer itself, batch scripts modify Windows Registry entries to establish persistence.

A defining feature of the updated infection chain is the use of Telegram group descriptions as covert channels for retrieving the command-and-control (C2) server address hosted on paste[.]rs. This design complicates infrastructure takedown and campaign tracking. The attackers further employ evasive tactics, such as Base64-encoded archives, native Windows utilities like certutil.exe, and in-memory payload execution without leaving traces on disk—altogether making detection significantly more difficult.

Noodlophile functions as a fully-fledged information stealer. It harvests system information, extracts browser data, and intercepts browsing history. Source code analysis reveals that development is ongoing: dormant features for keylogging, screenshot capture, process monitoring, file encryption, and data exfiltration are already in place, suggesting that the malware is being engineered into a comprehensive espionage platform.

The attackers’ emphasis on browser data theft highlights their interest in corporate social media accounts, particularly on Facebook, where businesses often manage large audiences and link financial tools to their profiles. With its expanding capabilities, Noodlophile could soon evolve into a major threat to enterprises worldwide, merging espionage, credential theft, and even ransomware-like functionalities.