Menace actors behind the noodle malware are leveraging spear phishing emails and up to date supply mechanisms to launch data stealing in assaults focusing on companies within the US, Europe, the Baltic international locations and the Asia-Pacific area (APAC).
“Over a yr, the noodle marketing campaign has been energetic, leveraging superior spear phishing emails as a piracy notification coordinated with particulars from reconnaissance, reminiscent of particular Fb web page IDs and firm possession data,” Morphisec researcher Shmuel Uzan mentioned in a report in a typical report with Hacker Information.
The noodles have been beforehand detailed in Could 2025 by cybersecurity distributors, and are being utilized by attackers utilizing pretend synthetic intelligence (AI) as lures to propagate malware. We discovered that these counterfeiting packages are being promoted on social media platforms like Fb.
Nevertheless, adoption of copyright infringing lures shouldn’t be a brand new improvement. In November 2024, Checkpoint dropped Rhadamanthys Stealer after discovering an enormous phishing effort focusing on people and organizations underneath the false premise of a copyright violation.
Nevertheless, the most recent iterations of noodle assaults present important deviations, notably in relation to respectable software program vulnerabilities, esoteric staging by means of telegrams, and dynamic payload execution.
All of it begins with a phishing e mail geared toward tricking workers into downloading and operating malicious payloads by claiming copyright violations on a particular Fb web page and inducing false sense of urgency. The message comes out of your Gmail account to keep away from doubt.
Within the message, there’s a Dropbox hyperlink that drops a ZIP or MSI installer. This can use the malicious DLL with the respectable binary related to Haihaisoft PDF Reader to launch the obfuscated noodle theft, however earlier than operating the batch script and establishing persistence utilizing Home windows Registry,
What’s noteworthy concerning the assault chain is that it leverages the Telegram Group description as a dead-drop resolver to get an actual server (“Paste(.)rs”) that hosts the steeler’s payload and challenges its detection and takedown efforts.
“This method relies on earlier marketing campaign strategies (e.g., base64 encoded archives, lolbin abuse like certutil.exe), however it additionally provides a layer of avoidance by means of telegram-based command-and-control and in-memory execution to keep away from disk-based detection,” Uzan mentioned.
Noodlophile is a full-fledged steeler that may seize information from an internet browser and acquire system data. Steeler supply code evaluation demonstrates ongoing improvement efforts to increase capabilities that facilitate screenshot seize, keylogs, file elimination, course of monitoring, community data assortment, file encryption, and browser historical past extraction.
“The broad focusing on of browser information emphasizes the marketing campaign’s give attention to corporations with a vital social media footprint, particularly on platforms like Fb,” Morphisec mentioned. “These unimplemented options present that Steeler builders are actively working to increase their capabilities, probably turning it right into a extra versatile and harmful risk.”
