Fake Copyright Notices Drop New Noodlophile Stealer Variant

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and DLL side-loading to steal data.

A new, highly advanced cyber threat is on the rise, using fake copyright claims to trick businesses into downloading dangerous software. According to a new report from cybersecurity firm Morphisec, this malware is an upgraded version of the Noodlophile Stealer, which is now targeting companies in the US, Europe, Baltic countries, and the Asia-Pacific region.

Morphisec’s latest threat analysis, exclusively shared with Hackread.com, describes how the threat has evolved from its earlier method of using fake AI platforms to a more sophisticated approach. The diagram illustrates the step-by-step process of the attack, from the initial lure to the final data theft.

Attack Flow (Source: Morphisec)

Researchers found that this new attack uses highly personalized phishing emails disguised as official copyright infringement notices. The messages, which can be in multiple languages, are sent to key employees or the general company inboxes and often contain specific details about the company’s Facebook page, such as its unique ID.

This makes the emails appear genuine and creates a sense of urgency. The goal is to pressure a recipient into clicking a link to “view evidence” of the supposed violation, which is actually a download link for the malicious software.

One of the phishing emails disguising itself as a legal notice (Image via Morphisec)

****Delivery Method****

According to Morphisec’s blog post shared with Hackread.com, published ahead of publishing on Monday, 18, 2025, instead of fake websites, the malware is delivered via a Dropbox link that downloads a compressed archive like a ZIP file. This archive contains a legitimate application that has been tampered with to load a hidden malicious file, a technique known as DLL side-loading.

This method tricks trusted software (like PDF readers) into unknowingly running the malware. The final malicious code is disguised and uses the messaging app Telegram to evade detection by security tools.

****Stolen Data and Future Threat****

Once executed, the malware focuses on stealing a wide range of sensitive data from web browsers, including login credentials, credit card numbers, and autofill information. It also collects computer details like usernames and operating system versions.

Researchers note that the malware’s code contains placeholder functions, indicating that its creators plan to add more dangerous capabilities in the future, such as keylogging and capturing screenshots.

A key part of the process is bypassing security features in browsers like Chrome, allowing it to steal saved login data. The process of getting the final malware onto the computer is also heavily disguised, with files renamed to look like documents or images.

Considering the evolving nature of this threat, businesses must carefully monitor suspicious emails and inspect even those that appear to be from a trusted source to protect their valuable data.