Noodlophile information stealer expands delivery and data-theft capabilities
Malware Activity
Summary
Hide ▲
Show ▼
The Noodlophile infostealer has expanded its delivery chain and capabilities, increasing the risk of credential and data theft for enterprise targets across the U.S., Europe, Baltic countries, and APAC. Attackers are using spear-phishing emails that pose as copyright infringement notices and include reconnaissance-derived details such as Facebook Page IDs and company ownership information. The malware is delivered through Dropbox links and ZIP or MSI installers, then uses DLL sideloading, Telegram dead-drop resolution, and in-memory execution to evade detection. Its source code also shows planned expansion into keylogging, screenshot capture, and browser history extraction.
Related Happenings
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Infy Foudre and Tonnerre malware activity
Malware Activity
First: 21.12.2025 06:22
Last: 21.12.2025 06:22
Sources 1
About this happening:
The **Infy** group is actively using **Foudre** and **Tonnerre** to deliver a **second-stage implant** that extracts data from **high-value machines**. The malware activity matter...
Infy Foudre and Tonnerre malware activity
Malware ActivityAbout this happening: The **Infy** group is actively using **Foudre** and **Tonnerre** to deliver a **second-stage implant** that extracts data from **high-value machines**. The malware activity matter...
EtherHiding JADESNOW downloader malware activity
Malware Activity
First: 16.10.2025 17:00
Last: 16.10.2025 17:00
Sources 1
About this happening:
**North Korean** threat actor **UNC5342** is using **EtherHiding** to deliver malware for **cryptocurrency theft** in the **Contagious Interview** campaign. Google Threat Intellig...
EtherHiding JADESNOW downloader malware activity
Malware ActivityAbout this happening: **North Korean** threat actor **UNC5342** is using **EtherHiding** to deliver malware for **cryptocurrency theft** in the **Contagious Interview** campaign. Google Threat Intellig...
ClayRat Telegram phishing distribution campaign targeting Android users in Russia
Campaign
First: 09.10.2025 18:30
Last: 09.10.2025 18:30
Sources 1
About this happening:
The **ClayRat** campaign is an active **Android spyware** operation that now includes a newer iteration with expanded **surveillance** and **device-control** features. Researchers...
ClayRat Telegram phishing distribution campaign targeting Android users in Russia
CampaignAbout this happening: The **ClayRat** campaign is an active **Android spyware** operation that now includes a newer iteration with expanded **surveillance** and **device-control** features. Researchers...
PXA Stealer phishing-loader campaign
Campaign
First: 09.10.2025 17:01
Last: 09.10.2025 17:01
Sources 1
About this happening:
A **multi-stage phishing campaign** progressed into **credential theft**, layered loaders, and a final **PureRAT** deployment, increasing the risk of full host compromise and foll...
PXA Stealer phishing-loader campaign
CampaignAbout this happening: A **multi-stage phishing campaign** progressed into **credential theft**, layered loaders, and a final **PureRAT** deployment, increasing the risk of full host compromise and foll...
Timeline
-
18.08.2025 22:24 1 articles · 9mo ago
Noodlophile campaign expands phishing delivery and evasion
Technical Analysis UpdateMorphisec describes an updated Noodlophile information-stealer campaign targeting enterprises in the U.S., Europe, Baltic countries, and APAC with spear-phishing emails posing as copyright infringement notices and personalized with reconnaissance-derived Facebook Page IDs and company ownership details. The delivery chain uses Gmail accounts, Dropbox links, ZIP or MSI installers, Haihaisoft PDF Reader DLL sideloading, Telegram group descriptions as a dead-drop resolver for paste[.]rs, batch scripts for Windows Registry persistence, and in-memory execution to evade disk-based detection. Noodlophile captures browser data and system information, and its source code shows planned expansions for screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history extraction.
Show sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures — thehackernews.com — 18.08.2025 22:24