The Noodlophile malware, initially detected in May 2025, has undergone significant changes to its operational tactics to circumvent modern security defenses. In its early stages, this malicious software infiltrated user systems by masquerading as advertisements for non-existent AI video generation platforms on social media channels, leading users to download harmful ZIP files.
Exploiting Remote Work Demand
Recently, the operators of Noodlophile, associated with the Vietnamese group UNC6229, have shifted their strategy to exploit the global surge in remote work opportunities. They are now leveraging fake job advertisements to target job seekers, particularly students and digital marketers. These schemes involve sophisticated phishing attempts disguised as job application forms or skill assessments, which deliver multi-stage malware and Remote Access Trojans through DLL sideloading techniques.
Analysts at Morphisec have identified a distinctive retaliatory tactic embedded within the malware’s updated code. The attackers have padded the malicious files with numerous repetitions of a vulgar Vietnamese phrase aimed at the security firm. This tactic creates significant file bloat, designed to crash AI-based analysis tools that rely on standard Python disassembly libraries, such as dis.dis(obj), thus hindering automated threat detection and analysis processes.
Advanced Technical Evasion
The latest iterations of Noodlophile incorporate advanced technical measures to complicate reverse engineering attempts. These improvements include the use of the djb2 rotating hashing algorithm within the function loader shellcode. This lightweight technique facilitates dynamic API resolution, making static analysis more challenging for defenders attempting to decode the malware’s functions.
Moreover, the binary now includes a hardcoded signature validation process. This self-check mechanism detects any tampering by anti-analysis or debugging tools and terminates the execution if any modifications are detected. To further secure their operations, the attackers have added an RC4 encryption layer to protect the command file, named “Chingchong.cmd,” concealing its contents from immediate scrutiny.
Obfuscation and Security Recommendations
Additionally, the attackers have abandoned plain text strings, instead using XOR encoding to hide data that was previously easily detectable. This approach effectively bypasses simple string-based detection methods that security teams typically use for rapid identification of malware.
It is imperative for users to exercise caution when dealing with unsolicited job offers and to verify the authenticity of recruitment platforms. Security professionals should update detection protocols to recognize these specific hashing and encryption patterns to prevent potential infections. Remaining vigilant against these evolving tactics is crucial for ensuring robust cybersecurity.
To stay updated on the latest developments, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more instant updates.
