A new wave of phishing attacks is catching enterprises off guard by turning their public-facing digital presence into a vulnerability. The Noodlophile Stealer, a relatively new malware strain first seen spreading via fake AI video tools, has undergone a dramatic upgrade.
It’s now targeting organizations with active Facebook pages using highly convincing copyright infringement notices as bait.
The attacker’s playbook leans on multilingual social engineering and a payload delivery system designed to bypass traditional defenses.
A Familiar Lure with a Smarter Twist
Phishing emails at the center of this campaign look eerily real.
Complete with authentic Facebook Page IDs and accurate ownership information, these messages arrive cloaked in pressing legal language. On the surface, it’s a copyright complaint. Underneath, it’s the first step in a malware deployment designed to steal sensitive data.
Rather than blanket spam, these emails are targeted.
Many are sent to general-purpose info@ or support@ inboxes but are customized with company-specific details.
The use of localization is especially noteworthy.
Emails have been spotted in native company languages, often with formatting and phrasing that suggest AI-generated fluency.
Delivery Disguised in Legitimacy
Getting the victim to click is just the first act.
The malware’s second trick is hiding inside software the user is likely to trust.
Instead of using obvious malware, attackers bundle their stealer with signed applications like Haihaisoft PDF Reader or Excel converters. These apps are exploited via DLL side-loading, a method that lets malicious code run inside a legitimate process, perfect for flying under the radar of traditional antivirus software.
In some cases, the malicious code is layered through multiple DLLs, using recursive stub loading. Others rely on chained vulnerabilities, where one compromised DLL opens the door for another.
Either way, the malware stays comfortably camouflaged.
Files are delivered via shortened URLs and Dropbox links, disguised as ZIP files. Inside are unsuspecting items such as .docx or .png files that trigger event sequences when opened.
Staging the Attack
With the malicious DLL in place, the campaign moves into its staging phase.
Files inside the ZIP archive are renamed to disguise their true purpose with BAT scripts and Python interpreters hidden behind extensions like .pptx or .pdf. These scripts are designed to ensure persistence, embedding themselves into the system’s registry so they launch automatically at startup.
Some versions even reach out to external servers to retrieve additional disguised payloads.
What It Steals, and What’s Next
The current version of Noodlophile goes after browser-based credentials and sensitive data. That includes:
- Facebook cookies, especially those stored in SQLite files.
- Login credentials from Chrome, Firefox, and Edge.
- Saved credit card details, accessed by bypassing Chrome’s protections.
- System information, including installed antivirus software and device specs.
- Environment variables, like computer names and user profiles.
Following execution, it then deletes itself to reduce the chances of detection.
What’s even more concerning is what might come next.
Buried in the code are placeholder functions for advanced monitoring.
These haven’t been activated…yet.
However, their presence suggests the malware’s authors are building toward a full-featured espionage or ransomware toolkit.
The Wrap
Noodlophile Stealer is a telling glimpse into the future of cyber threats.
Brute force or novel exploits don’t make this campaign dangerous; it’s the capacity to blend seamlessly into trusted frameworks that organizations rely on daily.
For enterprises with a large social media presence, the stakes are higher.
Every public-facing page, every published brand asset, becomes a potential weapon in an attacker’s arsenal.
Now is the time for CIOs and CISOs to recalibrate their defenses, meaning:
- Training teams to spot sophisticated phishing attempts.
- Auditing the use of third-party software vulnerable to DLL side-loading.
- Monitoring systems for script-based persistence mechanisms.
- Reducing unnecessary exposure of metadata and admin contacts online.
Noodlophile is proving that the better your brand is known, the more attractive you become to attackers.
