Overview

• Attackers are sending highly customized spear-phishing emails impersonating law firms to targets in the US, Europe, Baltic states and APAC under the pretense of copyright infringement notices.
• Phishing links lead victims to Dropbox-hosted ZIP or MSI archives containing legitimate signed applications modified to load hidden malicious DLLs.
• After initial execution, the campaign runs batch scripts and portable Python interpreters to fetch the final Noodlophile payload from free platforms like paste.rs via Telegram.
• Once installed, the stealer exfiltrates browser cookies, autofill entries, saved credit cards and system fingerprints while establishing persistence in the Programs\Startup folder and self-deleting execution traces.
• Analysis of the latest variant reveals placeholder functions indicating planned additions such as keylogging, screenshot capture, process monitoring and file encryption.