Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Noodlophile

Noodlophile is an information-stealing malware family first publicly reported in May 2025. It has been distributed through fake AI-themed tools promoted on Facebook and other social media, where victims were tricked into downloading malicious ZIP files. Early campaigns focused on stealing credentials and cryptocurrency wallet data, with exfiltration via Telegram bots. Later activity evolved to remote-work and recruitment-themed social engineering, using fake job postings, application forms, and skill assessment lures to target job seekers, students, and digital marketers. These newer campaigns delivered multi-stage stealers and Remote Access Trojans, including through DLL sideloading, and were linked in the provided reporting to the Vietnamese threat group UNC6229.

Recent Noodlophile variants were described as significantly evolving their anti-analysis and reverse-engineering resistance. Reported changes include padding files with millions of repetitions of a vulgar Vietnamese phrase directed at Morphisec to disrupt analysis pipelines, use of the djb2 hashing algorithm for dynamic API resolution, hardcoded signature validation to detect tampering, termination when modification or debugging is detected, RC4 encryption protecting a command file named "Chingchong.cmd," and XOR-encoded strings to evade simple string-based detections. Telegram remains central to the malware’s command-and-control and/or exfiltration workflow.

High-confidence capabilities directly mentioned in the content include theft of credentials and cryptocurrency wallets. The malware is also described broadly as an infostealer used in enterprise-targeting attacks and as part of multi-stage intrusion chains. The content additionally notes that researchers compared or grouped Noodlophile alongside other Vietnamese-attributed stealers such as PXA Stealer and NodeStealer, but only the UNC6229 linkage is explicitly stated for Noodlophile in the supplied material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6229

“The Noodlophile information stealer, originally uncovered in May 2025, has significantly evolved its attack strategies… These early campaigns focused on harvesting credentials and cryptocurrency wallets… Recently… utilizing fake job postings… to deliver multi-stage stealers and Remote Access Trojans via DLL sideloading tactics.”

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583.001DomainsEvidence1

"Fake AI Tools Used to Spread Noodlophile... via Facebook lures" and "Node.js Malware Campaign... fake Binance and TradingView installers"

T1583.002DNS ServerEvidence1

"Initially, this malware hid behind deceptive advertisements for fake AI video generation platforms on social media, tricking users into downloading malicious ZIP files."

Initial Access

1 technique
T1566PhishingEvidence2

"at least 19 spear-phishing emails that impersonated trusted diplomatic contacts" / "leverages spear-phishing emails posing as copyright infringement" / "phishing emails ... used to deliver malware families"

Execution

1 technique
T1204.002Malicious FileEvidence1

"...tricking users into downloading malicious ZIP files."

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1

"...added a layer of RC4 encryption to protect the command file..." and "...employing XOR encoding to hide previously visible data."

T1140Deobfuscate/Decode Files or InformationEvidence1

"...implemented the classic djb2 rotating hashing algorithm... allows for reliable dynamic API resolution, making static analysis significantly more difficult"

T1497Virtualization/Sandbox EvasionEvidence1

"...performs a hardcoded signature validation... detects tampering attempts by anti-analysis or debugging tools, terminating execution if modifications are found."

Credential Access

2 techniques
T1552.004Private KeysEvidence1

"...focused on harvesting credentials and cryptocurrency wallets..."

T1555Credentials from Password StoresEvidence1

"These early campaigns focused on harvesting credentials and cryptocurrency wallets..."

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

"...performs a hardcoded signature validation... detects tampering attempts by anti-analysis or debugging tools, terminating execution if modifications are found."

Command and Control

1 technique
T1102.002Bidirectional CommunicationEvidence1

"...the malware continues to rely on Telegram bots for command and control communications."

Exfiltration

1 technique
T1567.002Exfiltration to Cloud StorageEvidence1

"...which were then exfiltrated via Telegram bots to the attackers."

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
cyber security newsNews
Feb 22, 2026
Cybersecurity News Weekly: PayPal Breach, Chrome 0-Day, BeyondTrust RCE Exploit, and More

An information-stealing malware family that has evolved its tradecraft; reported as being deployed via fake job postings and multi-stage infection chains, including DLL sideloading, with added obfuscation (djb2 hashing and XOR encoding) to hinder reverse engineering.

Read more
risky biz rssNews
Feb 20, 2026
Risky Bulletin: RPKI infrastructure sits on shaky ground

Infostealer whose operator modified samples by padding file size with repeated text (likely to evade analysis/detection or as a taunt).

Read more
the hacker newsNews
Feb 19, 2026
ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

Information-stealing malware spread via fake AI tools advertised on Facebook; operators added large amounts of junk strings to bloat samples and disrupt certain AI/Python-disassembly-based analysis workflows.

Read more
cyber security newsNews
Feb 16, 2026
Noodlophile Malware Creators Evolve Tactics with Fake Job Postings and Phishing Lures

An information-stealing malware that harvests credentials and cryptocurrency wallet data, exfiltrates via Telegram bots, and in newer campaigns is delivered through fake AI video generator ads and later fake job postings/assessments. Updated variants add anti-analysis/obfuscation (file bloat to crash Python disassembly-based tooling, dynamic API resolution via djb2 hashing, tamper/self-check signature validation, RC4-encrypted command file, XOR-encoded strings) and use Telegram bots for C2.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.