Threat actors behind the noodle malware are leveraging spear phishing emails and updated delivery mechanisms to launch information stealing in attacks targeting businesses in the US, Europe, the Baltic countries and the Asia-Pacific region (APAC).
“Over a year, the noodle campaign has been active, leveraging advanced spear phishing emails as a piracy notification coordinated with details from reconnaissance, such as specific Facebook page IDs and company ownership information,” Morphisec researcher Shmuel Uzan said in a report in a common report with Hacker News.
The noodles were previously detailed in May 2025 by cybersecurity vendors, and are being used by attackers using fake artificial intelligence (AI) as lures to propagate malware. We found that these counterfeiting programs are being promoted on social media platforms like Facebook.
However, adoption of copyright infringing lures is not a new development. In November 2024, Checkpoint dropped Rhadamanthys Stealer after discovering a massive phishing effort targeting individuals and organizations under the false premise of a copyright violation.
However, the latest iterations of noodle attacks show significant deviations, particularly when it comes to legitimate software vulnerabilities, esoteric staging through telegrams, and dynamic payload execution.
It all starts with a phishing email aimed at tricking employees into downloading and running malicious payloads by claiming copyright violations on a specific Facebook page and inducing false sense of urgency. The message comes from your Gmail account to avoid doubt.
In the message, there is a Dropbox link that drops a ZIP or MSI installer. This will use the malicious DLL with the legitimate binary associated with Haihaisoft PDF Reader to launch the obfuscated noodle theft, but before running the batch script and establishing persistence using Windows Registry,
What’s noteworthy about attack chains is that they leverage the Telegram group description as a dead-drop resolver to get the actual server (“Paste[.]rs”) Host Stealer Payload and challenge detection and takedown efforts.
“This approach is based on previous campaign techniques (e.g., base64 encoded archives, lolbin abuse like certutil.exe), but it also adds a layer of avoidance through telegram-based command-and-control and in-memory execution to avoid disk-based detection,” Uzan said.
Noodlophile is a full-fledged steeler that can capture data from a web browser and collect system information. Steeler source code analysis demonstrates ongoing development efforts to extend capabilities that facilitate screenshot capture, keylogs, file removal, process monitoring, network information collection, file encryption, and browser history extraction.
“The broad targeting of browser data emphasizes the campaign’s focus on companies with a critical social media footprint, especially on platforms like Facebook,” Morphisec said. “These unimplemented features show that Steeler developers are actively working to expand their capabilities, potentially turning it into a more versatile and dangerous threat.”
Source link
