Noodlophile Malware Campaign Expands to Include Copyright Phishing Lures
Summary
Hide β²
Show βΌ
The Noodlophile malware campaign has expanded its global reach, targeting enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region. The threat actors use spear-phishing emails posing as copyright infringement notices to deploy the information stealer. The campaign leverages advanced delivery mechanisms, including legitimate software vulnerabilities and obfuscated staging via Telegram. The malware is designed to capture data from web browsers and gather system information. Ongoing development efforts aim to expand its capabilities to include screenshot capture, keylogging, file exfiltration, and more. The extensive targeting of browser data suggests a focus on enterprises with significant social media footprints. The campaign also includes self-deletion techniques to remove traces after execution, complicating detection.
Timeline
-
18.08.2025 22:24 π° 2 articles Β· β± 29d ago
Noodlophile Malware Campaign Expands with New Phishing Lures
The Noodlophile malware campaign has expanded its global reach, targeting enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region. The threat actors use spear-phishing emails posing as copyright infringement notices to deploy the information stealer. The campaign leverages advanced delivery mechanisms, including legitimate software vulnerabilities and obfuscated staging via Telegram. The malware is designed to capture data from web browsers and gather system information. Ongoing development efforts aim to expand its capabilities to include screenshot capture, keylogging, file exfiltration, and more. The extensive targeting of browser data suggests a focus on enterprises with significant social media footprints. The campaign also includes self-deletion techniques to remove traces after execution, complicating detection.
Show sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
Information Snippets
-
The Noodlophile malware campaign has been active for over a year, targeting enterprises in multiple regions.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The campaign uses spear-phishing emails posing as copyright infringement notices to deliver the malware.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The phishing emails originate from Gmail accounts and include Dropbox links to malicious payloads.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The attack chain leverages Telegram group descriptions as a dead drop resolver to fetch the stealer payload.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The malware uses legitimate binaries associated with Haihaisoft PDF Reader to launch the obfuscated Noodlophile stealer.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The campaign includes ongoing development efforts to expand the malware's capabilities, such as screenshot capture, keylogging, and file exfiltration.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The Noodlophile campaign targets corporate social media accounts, specifically Facebook Pages, to craft highly personalized spear-phishing emails.
First reported: 18.08.2025 23:28π° 1 source, 1 articleShow sources
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The phishing emails include precise details such as page IDs and ownership information, indicating extensive reconnaissance by the threat actors.
First reported: 18.08.2025 23:28π° 1 source, 1 articleShow sources
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The payloads are often delivered via Dropbox links masked by TinyURL redirects, containing disguised artifacts like batch scripts renamed as .docx files or self-extracting archives posing as .png files.
First reported: 18.08.2025 23:28π° 1 source, 1 articleShow sources
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The infostealer harvests web data, system data, credentials, credit card information, security controls, and browser support.
First reported: 18.08.2025 23:28π° 1 source, 1 articleShow sources
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The infostealer employs self-deletion techniques to remove traces after execution, complicating detection.
First reported: 18.08.2025 23:28π° 1 source, 1 articleShow sources
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The campaign targets enterprises across the U.S., Europe, Baltic countries, and the APAC region.
First reported: 18.08.2025 23:28π° 1 source, 1 articleShow sources
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Increased browser targeting by threat actors
Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.
MostereRAT Malware Campaign Targets Japanese Windows Users
A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.