A classy phishing marketing campaign has emerged concentrating on enterprises with vital social media footprints, leveraging weaponized copyright infringement notices to ship the advanced Noodlophile Stealer malware.
This extremely focused menace represents a major escalation from earlier iterations, exploiting enterprises’ reliance on social media platforms by way of meticulously crafted spear-phishing emails that allege copyright violations on particular Fb Pages.
The marketing campaign demonstrates unprecedented precision in its concentrating on methodology, with menace actors conducting intensive reconnaissance to collect particular particulars together with Fb Web page IDs and firm possession info.
These personalised assaults primarily goal key workers and generic organizational inboxes similar to data@ and assist@, creating a way of urgency by way of authorized threats that stress recipients into clicking malicious hyperlinks disguised as proof information.
Morphisec analysts recognized that this advanced marketing campaign employs multilingual content material spanning English, Spanish, Polish, and Latvian, doubtlessly leveraging synthetic intelligence for localization and broader international attain.
Assault chain (Supply – Morphisec)
The sophistication extends past easy e mail lures, incorporating respectable software program vulnerabilities and obfuscated staging mechanisms that considerably complicate detection efforts.
Not like its predecessor, that relied on pretend AI video technology platforms, the present Noodlophile variant exploits respectable, digitally signed purposes susceptible to DLL side-loading, together with Haihaisoft PDF Reader and Excel converters.
The malware operators have developed two modern exploitation methods: recursive stub loading and chained DLL vulnerabilities, each designed to execute malicious code covertly inside trusted processes.
Superior Supply and Persistence Mechanisms
The malware’s supply mechanism represents a masterclass in evasion methods, using Dropbox hyperlinks masked by TinyURL redirects to distribute payloads.
These archives include rigorously disguised artifacts, together with batch scripts renamed as .docx information and self-extracting archives posing as .png information, executed by way of malicious libraries loaded inside respectable purposes.
Following profitable DLL side-loading, the marketing campaign introduces an intermediate staging course of the place malicious DLLs rename further information to disclose BAT scripts and transportable Python interpreters.
The persistence mechanism operates by way of registry modifications below HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, establishing execution by way of cmd.exe instructions that launch Python interpreters with malicious scripts.
The improved obfuscation layer extracts URLs from Telegram group descriptions, enabling dynamic payload execution whereas internet hosting ultimate phases on platforms like paste.rs.
This Telegram-based command-and-control infrastructure, mixed with in-memory execution capabilities, considerably complicates conventional disk-based detection strategies and represents a regarding evolution in stealer deployment methods.
The Noodlophile Stealer’s present capabilities focus extensively on browser-based information theft, concentrating on net credentials, autofill information, and Fb cookies by way of refined SQL queries.
Its codebase reveals placeholder capabilities indicating deliberate expansions into screenshot seize, keylogging, and potential EDR bypass mechanisms by way of AMSI and ETW tampering.
Increase your SOC and assist your workforce shield your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
