New Lone None Stealer Malware Hijacks Crypto Wallets via Fake Copyright Takedown Notices
Ddos 
Cofense Intelligence has uncovered an evolving phishing campaign that uses copyright takedown notices as its primary lure. At the center of this operation is the Lone None threat actor group, which has been seen deploying both the well-known Pure Logs Stealer and a newly identified malware strain dubbed Lone None Stealer (also known as PXA Stealer).
The campaign spoofs legitimate legal firms to pressure victims into clicking malicious links. According to the report, “This campaign sends copyright infringement takedown notices that spoof various legal firms from across the world and likely uses machine translation or AI tools to create new email templates for at least 10 different languages.”
These emails frequently reference real Facebook accounts belonging to the victim, adding credibility to the ruse. The malicious links often redirect through services such as tr[.]ee and goo[.]su, ultimately delivering malicious archive files hosted on platforms like Dropbox and MediaFire.
What sets this campaign apart is its creative use of legitimate tools. Cofense notes, “To evade analysis, this campaign abuses legitimate programs such as Haihaisoft PDF Reader, delivers legitimate PDF and Microsoft Office suite documents alongside payload files, and delivers a Python installation as a part of its attack chain.”
The infection chain involves:
- A fake PDF or Office document archive bundled with malicious loaders.
- certutil.exe decoding disguised payloads.
- A Python installation staged in C:\Users\Public\Windows, with the interpreter renamed to svchost.exe.
- Execution of obfuscated Python scripts that fetch further payloads from Telegram-linked infrastructure.
Remarkably, the attackers even hide payload URLs in Telegram bot profile bios, turning a social messaging feature into an effective command-and-control (C2) channel.
The new malware strain, Lone None Stealer, is designed with a sharp focus on cryptocurrency theft. Cofense researchers explain: “Lone None Stealer… focuses on stealing cryptocurrency by replacing various cryptocurrency addresses copied to the clipboard. It does this by checking the clipboard for strings that match pre-defined regular expression rules for various cryptocurrency addresses.”
Once a match is found, the malware replaces the copied wallet address with one controlled by the attacker and alerts the operator via Telegram. The campaign has been linked to multiple wallet addresses across Bitcoin, Ethereum, Litecoin, Solana, Ripple, and other cryptocurrencies.
Cofense has tracked the Lone None group’s activity since late 2024. While the phishing lures remain largely unchanged, the payloads have become progressively more sophisticated. “One of the things that makes this campaign interesting… is how the campaign’s malware payloads have become increasingly more advanced within the last few months, while the email lures remain relatively unchanged.”
Earlier variants included RATs such as XWorm and DuckTail, but the current emphasis is on cryptocurrency theft and log stealing, with obfuscation and multi-stage payload delivery making detection far more difficult.
Related Posts:
- Cybercriminals Escalate Attacks with Sophisticated HR-themed Phishing Scam
- Copilot Phishing: New Scam Targets Microsoft Users
- Clipboard security issues found in Chromium, Firefox, and Apple Safari browsers
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
