Noodlophile malware targets enterprises in the U.S., Europe, Baltic countries, and APAC through spear-phishing emails designed to look like copyright infringement notices. Researchers report that these emails contain tailored details, making them seem legitimate. The campaign utilizes counterfeit AI tools as lures and incorporates updated delivery methods such as leveraging legitimate software vulnerabilities and Telegram. The phishing emails induce urgency and are sent from Gmail, with links to ZIP or MSI installers that sideload malicious DLLs through trusted software like Haihaisoft PDF Reader.
The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information.
These counterfeit programs were found to be advertised on social media platforms like Facebook.
The latest iteration of the Noodlophile attacks exhibits notable deviation, particularly when it comes to the use of legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution.
It all starts with a phishing email that seeks to trick employees into downloading and running malicious payloads by inducing a false sense of urgency, claiming copyright violations on specific Facebook Pages.
Collection
[
|
...
]