Noodlophile Malware Evolves with Fake Job Postings and Phishing Lures
Key Takeaways The Noodlophile information stealer, first observed in May 2025, has significantly evolved its distribution methods and evasion techniques. Threat actors, linked to the Vietnamese group...
Key Takeaways
- The Noodlophile information stealer, first observed in May 2025, has significantly evolved its distribution methods and evasion techniques.
- Threat actors, linked to the Vietnamese group UNC6229, are now leveraging fake job postings and sophisticated phishing lures to target job seekers, students, and digital marketers.
- The malware incorporates advanced technical obfuscation, including a unique retaliatory tactic designed to crash AI-based analysis tools.
- Noodlophile continues to exfiltrate credentials and cryptocurrency via Telegram bots, posing a substantial risk to individuals and enterprises.
Noodlophile Malware Adopts Fake Job Postings and Anti-Analysis Tactics
The Noodlophile information stealer, initially discovered in May 2025, has undergone a significant transformation, now employing advanced social engineering and technical evasion tactics to circumvent modern security defenses. Threat actors have pivoted from their original distribution methods to exploit the current remote work landscape.
Table Of Content
Early campaigns involving Noodlophile leveraged deceptive advertisements for fabricated AI video generation platforms on social media. These initial attacks aimed to trick users into downloading malicious ZIP files, primarily focusing on harvesting credentials and cryptocurrency wallet information, which was then exfiltrated via Telegram bots.
Shift to Exploiting the Job Market
The operators, identified as the Vietnamese group UNC6229, have redirected their efforts toward exploiting the high demand for remote employment. They are now utilizing fake job postings to target a broad audience, including job seekers, students, and professionals in digital marketing. These sophisticated phishing lures often masquerade as employment application forms or skill assessment tests. The delivery mechanism typically involves multi-stage stealers and Remote Access Trojans, deployed through DLL sideloading tactics.
A Unique Retaliatory Evasion Tactic
Analysts at Morphisec uncovered a distinctive retaliatory tactic embedded within the updated Noodlophile code. The malware developers intentionally padded malicious files with millions of repetitions of a vulgar Vietnamese phrase specifically aimed at the security firm. This deliberate file bloat is designed to overload and crash AI-based analysis tools that rely on standard Python disassembly libraries, such as dis.dis(obj), thereby hindering automated threat investigation processes.
Despite these theatrical additions and technical advancements, the malware maintains its reliance on Telegram bots for command and control communications. The ongoing persistence and evolution of these attacks underscore the critical need for increased user awareness when engaging with online recruitment platforms. The combination of social engineering and technical evasion presents a significant threat to both individual and enterprise security.
Technical Evasion and Obfuscation Tactics
The latest iterations of Noodlophile incorporate several technical improvements aimed at complicating reverse engineering efforts. The developers have integrated the classic djb2 rotating hashing algorithm within the function loader shellcode. This lightweight approach facilitates reliable dynamic API resolution, making static analysis considerably more challenging for defenders attempting to decipher the code’s behavior.
Furthermore, the binary now includes a hardcoded signature validation mechanism. This internal self-check detects tampering by anti-analysis or debugging tools, terminating execution if any modifications are detected. To enhance operational security, the attackers have implemented an RC4 encryption layer to protect the command file, specifically named “Chingchong.cmd,” obscuring its contents from immediate inspection.
Finally, the threat actors have moved away from using plain text strings, instead employing XOR encoding to hide previously visible data. This technique effectively bypasses simple string-based detection rules frequently used by security teams for rapid malware identification.
What You Should Do
- Exercise extreme caution with unsolicited job offers and rigorously verify the legitimacy of all online recruitment platforms and job postings.
- Avoid downloading attachments or clicking links from unknown or suspicious sources, especially those related to job applications.
- Implement robust endpoint detection and response (EDR) solutions capable of identifying advanced evasion techniques.
- Update detection rules to account for the specific hashing (
djb2) and encryption (RC4 for command files) patterns utilized by Noodlophile. - Educate employees and job seekers within your organization about the risks of phishing campaigns and social engineering tactics.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.