Beware: Noodlophile Infostealer Masks as Fake Legal Notices
▼ Summary
– Attackers use spear-phishing emails impersonating law firms to threaten legal action over copyright infringement, targeting businesses globally.
– Emails are personalized with company details and sent to key employees or generic inboxes in multiple languages, likely using generative AI.
– Victims are tricked into downloading a malicious ZIP or MSI file disguised as a PDF via a link, not an attachment.
– The malware employs DLL side-loading through legitimate signed applications and uses disguised files to deploy the Noodlophile infostealer.
– Noodlophile steals sensitive data like login credentials and credit card info, maintains persistence, and shows potential for future capabilities like keylogging.
A sophisticated cyber threat is targeting organizations worldwide with fake legal notices designed to steal sensitive information. Security researchers have identified a campaign distributing the Noodlophile infostealer through highly personalized spear-phishing emails. These messages impersonate legitimate law firms and accuse recipients of copyright or intellectual property violations, creating a sense of urgency designed to provoke hasty action.
The emails are carefully crafted to appear authentic, referencing specific details such as Facebook Page IDs and corporate ownership data. They are directed at key personnel or generic company email addresses across the United States, Europe, Baltic nations, and the Asia-Pacific region. While the use of multiple languages, likely generated with AI tools, adds to the illusion, a clear red flag is the reliance on free email services like Gmail rather than professional domains.
Rather than attaching a file directly, the message includes a link to download what appears to be a PDF related to the alleged infringement. In reality, this file is a malicious archive, either a ZIP or MSI file, disguised as a document. Once opened, it exploits legitimate signed applications through DLL side-loading, a technique that bypasses traditional security measures by hiding malicious code within trusted software.
Inside these archives, attackers use deceptive filenames to conceal harmful scripts. Batch files may be labeled as .docx documents, and self-extracting archives might appear as .png images. These are executed when malicious libraries load within a benign application. An intermediate stage then renames additional disguised files to reveal BAT scripts and portable Python interpreters. The final payload, the infostealer, is often hosted on free platforms like paste.rs, making detection and removal more challenging for defenders.
Noodlophile is equipped to harvest a wide array of sensitive data from infected systems. It targets web browsers including Chrome, Brave, Edge, and Opera, extracting cookies, autofill data, saved passwords, and even stored credit card details. The malware also collects system information such as operating system version, installed RAM, and security software presence.
To maintain access, the infostealer establishes persistence through the Startup directory and uses self-deletion methods to erase traces after execution. Researchers also note that newer variants contain placeholder functions suggesting planned upgrades, such as keylogging, screenshot capture, browser history theft, and file encryption. This indicates the malware is under active development and may become even more dangerous in the future.
This is not the first time Noodlophile has been used in deceptive campaigns. Earlier iterations masqueraded as output files from what seemed to be genuine AI tools, focusing on creators and small businesses. The shift to legal threats demonstrates the attackers’ adaptability and willingness to use social engineering tactics that exploit anxiety and urgency.
Staying informed through timely threat intelligence alerts can help organizations recognize and respond to such targeted attacks before significant damage occurs.
(Source: HelpNet Security)