A new wave of cyberattacks is sweeping across the globe as a working campaign featuring the sophisticated Noodlophile information-stealer ramps up attacks on businesses in the U.S., Europe, Baltic states, and the Asia-Pacific region. Morphisec researchers warn that spear-phishing emails posing as copyright violation notices are at the heart of the threat. These emails appear to come from Gmail accounts and include highly personal touches like a company’s Facebook Page ID or ownership details to make the scams more convincing.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
How the Scam Works
Attackers send phishing emails with Dropbox links to enterprises, claiming urgent legal trouble. These links drop ZIP or MSI files disguised as PDFs, which install dangerous malware in several steps. The files sideload a malicious DLL through a legitimate, signed PDF reader application, and then use batch scripts and Registry entries to stay active on the device.
A standout aspect of this campaign is the use of Telegram group descriptions as a dead-drop tool. The stealer fetches its real payload from a server location hidden in these descriptions, making it harder to detect. Researchers also note it hides in memory and avoids leaving files on disk.
What’s Being Stolen—and What’s Next
Noodlophile is already grabbing everything from browser cookies and saved credit card data to system details like RAM and installed software. The code shows plans to grow even more dangerous, including capabilities for screen capture, keylogging, process tracking, and file encryption.
Security professionals believe this campaign specifically targets companies with active social media accounts—especially those with Facebook presences—as indicated by their reconnaissance tactics.