Noodlophile Malware Puts Enterprise Facebook Pages

A year-long campaign sharpens its aim

A threat dubbed Noodlophile is turning a steady trickle of phishing into a focused rush at companies across the U.S., Europe, the Baltics, and the Asia-Pacific region. Security researchers say the group behind it has been at work for more than a year, but the latest wave shows a clear upgrade in both the bait and the delivery. The attackers now send spear-phishing emails that look like urgent copyright complaints related to Facebook Pages. These messages aren’t generic, either—they’re dressed up with details that are hard to ignore, such as real Page IDs and even company ownership information. The goal is simple: push employees to click and run a file that opens the door to an information-stealing program.

Back in May 2025, researchers traced Noodlophile to fake “AI tools” promoted on social networks. Those lures still exist, but the campaign has shifted. The copyright angle isn’t new in cybercrime—other crews used it in late 2024 to spread different stealers—but Noodlophile’s operators have added new twists that make the scam feel credible and the payload harder to catch.

The hook: fake copyright claims sent from throwaway Gmail accounts

The attack usually starts with an email that looks like a fire drill. It claims your organization’s Facebook Page has violated copyright, and unless you act fast, the Page will be suspended. The messages often come from fresh Gmail accounts to blend into everyday inbox noise. Inside is a link to a Dropbox file—typically a ZIP archive or an MSI installer—advertised as “evidence” or a “report.” That file is the trap.

Open it, and a chain of actions begins. A legitimate-looking program is run, and along with it, a hidden piece of code rides along. The technique is called DLL sideloading, and in this case the attackers piggyback on binaries tied to Haihaisoft PDF Reader. The trusted program loads a malicious library, which then launches the Noodlophile stealer. Before that happens, batch scripts poke the Windows Registry to set up persistence, making sure the malware runs again after a reboot.

The cover: Telegram “dead drops” and in-memory tricks

One of the clever parts of this operation is how the malware learns where to fetch its final payload. Rather than hard-coding a server, the attackers use Telegram group descriptions as a “dead drop” to post the current address. The malware reads the description, learns to reach out to a site like paste[.]rs, and downloads what it needs from there. If one address gets blocked, the group can switch the description and keep moving.

The crew hasn’t abandoned old habits—it still leans on tactics like Base64-packed files and living-off-the-land tools, including certutil.exe, that already exist on Windows systems. But the newest builds also do more work in memory, leaving fewer traces on disk. That makes them harder for traditional antivirus tools to spot and stop.

The payload: a stealer that’s growing up fast

At its core, Noodlophile is an information stealer. It hunts for browser data—saved logins, cookies, session tokens—and collects system details that help an attacker understand where they’ve landed. Code reviews show the malware is under active development. There are hooks for features that are either being tested or are next in line: screenshot capture, keylogging, file theft, process monitoring, network scanning, even file encryption and deep browser history scraping. Not every function is live today, but the direction is clear. The more the malware can do without tipping off the user, the more valuable each intrusion becomes.

This focus on browser loot says a lot about who’s being targeted. Companies that manage large social footprints—especially on Facebook—are prime targets. If attackers steal the right cookies, they may be able to jump straight into admin dashboards, hijack advertising accounts, or post in the name of the brand. From there, the damage spreads outward: fraud, reputational harm, and a trail of cleanup that drains time and budget.

Why this campaign matters now

Phishing emails wrapped in legal-sounding language work because they short-circuit common sense. An employee sees an urgent copyright claim about a public-facing Page and rushes to open the “evidence” to make the problem go away. Noodlophile’s operators know this and add just enough real-world detail to push that impulse over the edge. By layering Telegram-based instructions and memory-only execution, they also make life harder for defenders, takedown teams, and endpoint tools.

The lesson for enterprises is straightforward but urgent. Treat any copyright notice delivered through consumer email domains or file-sharing links with suspicion. Confirm claims through official channels, not links in the message. Lock down Facebook Page roles and advertising accounts with strong, unique passwords and multi-factor authentication—preferably hardware keys. Watch for DLL sideloading flags in your endpoint logs, and monitor for unusual use of tools like certutil. If your teams must use Dropbox or MSI installers, restrict where they can run from and who can run them.

Noodlophile isn’t the loudest name in cybercrime, but the campaign’s steady upgrades show a patient, practical mindset: pick lures that people act on, hide the handoffs, and squeeze as much as possible from stolen browser data. For companies that live and breathe social channels, that combination makes this threat more than a nuisance—it’s a direct line to account takeover, ad fraud, and brand damage. The window to get ahead of it is open now; once those cookies and sessions are gone, you’re playing from behind.

The bottom line

Noodlophile’s latest move isn’t about flashy zero-days. It’s about believable emails, careful staging, and a stealer that keeps growing. That mix turns everyday social media operations into a real business risk. If your brand’s Facebook presence is central to your marketing or support, assume you’re in scope—and act like it.