Noodlophile Stealer: Evolution of a Global Cyber Threat Through Copyright Phishing and AI Lures

TL;DR

The Noodlophile Stealer malware has rapidly evolved into a global threat, targeting enterprises in the U.S., Europe, Baltics, and APAC through highly personalized copyright phishing emails and AI-themed lures. This sophisticated campaign leverages multilingual spear-phishing, Telegram-based command-and-control, and in-memory execution to evade detection while stealing sensitive data like browser credentials, crypto wallets, and Facebook cookies. With unimplemented features hinting at future expansion, Noodlophile poses a growing risk to organizations worldwide.

---

Introduction

The cybersecurity landscape is witnessing the rapid evolution of Noodlophile Stealer, a malware strain that has transitioned from obscure origins to a global menace. Initially documented as an underground malware-as-a-service (MaaS), Noodlophile has expanded its reach by exploiting copyright phishing schemes and AI-themed baits. Its latest campaign demonstrates a highly targeted approach, leveraging reconnaissance-derived details to deceive victims into downloading malicious payloads.

This article explores the evolution of Noodlophile Stealer, its tactics, techniques, and procedures (TTPs), and the broader implications for enterprises worldwide.

---

The Rise of Noodlophile Stealer

From Obscurity to Global Threat

Noodlophile Stealer first emerged as a previously undocumented malware sold on cybercrime forums as part of malware-as-a-service (MaaS) schemes. Its developer, suspected to be Vietnamese, actively promoted the malware in Facebook groups and other underground communities. Initially, Noodlophile was distributed through fake AI tools, capitalizing on the hype surrounding AI-driven applications ¹.

Exploitation of AI Hype

In May 2025, researchers at Morphisec observed threat actors using viral social media posts and Facebook groups to promote fake AI video tools like “Dream Machine” and “CapCut”. Unsuspecting users, lured by the promise of free AI-powered video generation, unknowingly downloaded Noodlophile Stealer. The malware was designed to steal browser credentials, crypto wallets, and install remote access trojans (RATs) like XWorm ¹.

---

Evolution of Attack Tactics

Copyright Phishing: A New Vector

The latest iteration of Noodlophile Stealer has shifted its focus to copyright phishing, a tactic that exploits enterprises’ reliance on social media platforms. Threat actors send highly personalized spear-phishing emails disguised as copyright infringement notices. These emails include specific details such as:

• Facebook Page IDs
• Company ownership information
• Legal threats

The emails often originate from Gmail accounts to evade suspicion and pressure recipients into clicking malicious links disguised as “evidence files” (e.g., “View Copyright Infringement Evidence.pdf”) ².

Example of a copyright phishing email used in the Noodlophile campaign.

---

Advanced Delivery Mechanisms

Noodlophile Stealer employs sophisticated delivery mechanisms to evade detection:

1. DLL Side-Loading: The malware exploits legitimate software vulnerabilities, such as those in Haihaisoft PDF Reader, to load malicious DLLs.
2. Recursive Stub Loading: Attackers use chained DLL flaws to execute payloads covertly.
3. Telegram-Based Staging: Malicious scripts extract download links from Telegram group descriptions, enabling dynamic payload execution.
4. Free Hosting Platforms: The final stealer is hosted on platforms like Paste.rs, making takedowns difficult ².

The infection chain of Noodlophile Stealer, showcasing its multi-stage attack process.

---

Evasion and Persistence

To remain undetected, Noodlophile Stealer incorporates:

• In-Memory Execution: Avoids disk-based detection by executing payloads in memory.
• LOLBins Abuse: Uses Living-off-the-Land Binaries (LOLBins) like certutil.exe to bypass security measures.
• Registry Persistence: Ensures long-term access by modifying Windows registry keys.
• Trace Deletion: Removes evidence of its presence to evade forensic analysis ².

---

Targeted Data and Future Threats

Sensitive Data Theft

Noodlophile Stealer is designed to exfiltrate sensitive information, including:

• Browser credentials (cookies, saved passwords)
• Crypto wallet data
• Facebook session cookies
• Credit card details

Unimplemented Features

The malware’s code contains placeholders for future functionalities, suggesting potential expansion into:

• Keylogging
• Screenshot capture
• File encryption (ransomware capabilities)
• Advanced file exfiltration ²

Overview of Noodlophile Stealer’s current and potential capabilities.

---

Why This Matters

The evolution of Noodlophile Stealer highlights several critical trends in cybersecurity:

1. Increased Sophistication: Threat actors are combining social engineering, advanced evasion techniques, and dynamic payload delivery to bypass traditional defenses.
2. Global Reach: The campaign targets enterprises across multiple regions, demonstrating the borderless nature of cyber threats.
3. Future Risks: With unimplemented features hinting at ransomware and advanced espionage, Noodlophile could evolve into a multi-functional threat.

---

Mitigation Strategies

Enterprises can protect themselves by:

• Educating employees about phishing tactics and social engineering red flags.
• Monitoring suspicious emails, particularly those claiming copyright violations.
• Implementing advanced threat detection to identify in-memory execution and LOLBins abuse.
• Restricting access to untrusted hosting platforms like Paste.rs.

---

Conclusion

The Noodlophile Stealer campaign represents a significant escalation in cyber threats, combining personalized phishing, AI-themed lures, and advanced evasion techniques. As threat actors continue to refine their tactics, organizations must adopt proactive defense strategies to mitigate risks. The potential for future expansion—including ransomware and espionage capabilities—makes Noodlophile a critical threat to watch in the coming months.

For real-time updates on cybersecurity threats, follow Security Affairs on Twitter, Facebook, and Mastodon.

---

References

1. Morphisec (2025). “Threat Actors Use Fake AI Tools to Deliver the Information Stealer Noodlophile”. Security Affairs. Retrieved 2025-08-19. ↩︎ ↩︎²

2. Morphisec (2025). “Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises with Social Media Footprints”. Morphisec Blog. Retrieved 2025-08-19. ↩︎ ↩︎² ↩︎³ ↩︎⁴