Security researchers warned on Thursday about a spear-phishing campaign designed to deploy the Noodlophile infostealer. The attackers disguise their messages as legal actions over copyright or intellectual property infringements, targeting businesses across the United States, Europe, the Baltic states and the APAC region.
The emails appear to originate from law firms, and are highly personalized, referencing specific Facebook Page IDs and ownership details to reach key employees or generic inboxes such as info@ or support@. Recipients are encouraged to click a link to obtain more information about a supposed legal matter, with the threat of swift legal action acting as the lure.
The malicious payload is delivered not as an attachment but via a link that leads to a malicious ZIP or MSI archive posing as a PDF. Researchers note the archives contain disguised artifacts – such as batch scripts renamed with .docx extensions or self-extracting archives masquerading as images – that are executed by malicious libraries loaded within legitimate applications. The final step deploys the Noodlophile stealer after an intermediate stage that bridges the initial execution and the ultimate data exfiltration.
According to Morphisec researchers, the campaign abuses DLL side-loading in legitimate, signed applications to install the malware. The attackers reportedly use renamed files within the archive to reveal BAT scripts and portable Python interpreters, enabling the final stealer to operate on the host system. The stealer is hosted on free platforms, such as paste rs/Gc2BJ, a tactic that complicates detection and complicates takedown.
The Noodlophile infostealer is capable of gathering a wide range of data from infected machines and browsers, including cookies and autofill data, saved payment card information, and system details such as the operating system version and installed security software. Researchers noted that the malware maintains persistence via the Programs\Startup directory and employs self-deletion techniques to erase traces of execution, complicating detection.
Newer variants reportedly include placeholder functions that could enable additional capabilities in the future, such as keylogging, screenshot capture, process monitoring, listing browser extensions, browsing history access and even file encryption. The broader campaign appears to reflect an evolution of prior activity by the same threat actors, who previously targeted creators and small businesses with Noodlophile disguised as outputs from a legitimate-looking AI tool.
Cybersecurity professionals urge vigilance against this and similar campaigns, particularly for organizations that receive unexpected legal threat communications. Recipients are advised to verify the sender, scrutinize any links or attachments, and rely on official channels to confirm copyright or IP-infringement actions. Researchers emphasize the importance of robust email security, user awareness, and prompt incident reporting to mitigate the risk posed by these evolving threats.