Security

Users Targeted by Lone None Stealer via Fake Copyright Phishing

Sophisticated phishing leverages DLL side-loading and clipboard hijacking, enabling silent cryptocurrency diversion and data exfiltration from unsuspecting users.
September 27, 20253 min

A modern, elongated device features a sleek silver top and dark base, with a transparent blue section showcasing intricate internal clockwork mechanisms, including visible gears and ruby jewels. Side details include a tactile button and ventilation grilles, suggesting active functionality
A glowing white orb sits at the core of a chaotic, yet structured, formation of dark blue and black crystalline shards. Electric blue liquid or energy erupts dynamically around the central sphere and crystalline matrix, suggesting explosive growth and transformation

Briefing

A Vietnamese threat group has escalated its phishing operations, deploying the “Lone None Stealer” and “PureLogs Stealer” through fake copyright infringement notices. This campaign utilizes DLL side-loading to compromise user endpoints, leading to the exfiltration of sensitive data and the diversion of cryptocurrency via clipboard hijacking. The attacker’s methods have been linked to dozens of active cryptocurrency wallets, underscoring a direct and quantifiable threat to digital asset holders.

The image showcases a detailed, high-tech arrangement of metallic hexagonal and rectangular units, accented with vibrant electric blue elements and interconnected by numerous black cables. These components are arranged in a dense, structured pattern, suggesting a sophisticated computational or networking system designed for high throughput

Context

The digital asset landscape remains highly susceptible to social engineering tactics, where a lack of user vigilance combined with sophisticated malware deployment creates a persistent attack surface. Prior to this incident, a known class of vulnerability involved users inadvertently executing malicious code or approving transactions due to deceptive prompts, a risk amplified by the common practice of copy-pasting wallet addresses for transactions. This campaign leverages these foundational human and operational vulnerabilities.

The image presents a sophisticated abstract rendering of interconnected mechanical and fluid elements against a gradient grey background. A prominent dark blue, square component with a central cross-design is surrounded by translucent, flowing light blue structures that integrate with other metallic and white ridged parts

Analysis

The incident’s technical mechanics initiate with a deceptive email, posing as a copyright takedown notice, that directs victims to download a malicious compressed archive. Upon execution, a DLL side-loading technique abuses legitimate Windows programs to install a Python installer, which then deploys obfuscated Python scripts. These scripts deliver two primary malware strains → PureLogs Stealer, designed for broad data exfiltration, and Lone None Stealer, which specifically targets cryptocurrency by monitoring the system clipboard and replacing legitimate wallet addresses with attacker-controlled ones during transactions. The threat actors further enhance stealth and resilience by utilizing Telegram bot profile pages for command-and-control infrastructure.

A translucent, frosted rectangular device with rounded corners is depicted, featuring a central circular lens and two grey control buttons on its right side. Inside the device, a vibrant blue, textured, organic-like structure is visible through the clear lens, resting on a dark blue base

Parameters

  • Victim Profile → Individual cryptocurrency users
  • Attack VectorPhishing, Social Engineering, Malware (DLL Side-loading, Clipboard Hijacking)
  • Malware Names → Lone None Stealer (PXA Stealer), PureLogs Stealer
  • Command & Control (C2) → Telegram bots
  • Targeted Assets → Bitcoin, Ethereum, Solana, Ripple, other digital assets
  • Initial Access → Fake copyright takedown notices via email
  • Date of Lone None Stealer First Observation → June 2025
  • Campaign Activity → Active since late 2024

The abstract composition features a dynamic interplay of white, silver, and blue geometric forms with a pervasive granular blue substance. On the left, concentric textured arcs and deep blue channels create a sense of layered structure, while the right side presents a central textured sphere surrounded by metallic bars and transparent elements

Outlook

Immediate mitigation requires heightened user scrutiny of all incoming communications, especially those demanding urgent action or containing unexpected attachments. Users must verify sender authenticity, avoid untrusted downloads, and double-check all copied wallet addresses before initiating transactions. Protocols and platforms should advocate for the widespread adoption of hardware wallets and implement robust client-side security education. This incident will likely drive further development in endpoint detection and response (EDR) solutions specifically tailored to detect evasive malware leveraging legitimate system processes and encrypted C2 channels.

This incident decisively underscores the critical and evolving threat posed by sophisticated social engineering combined with evasive malware, demanding a multi-layered defense strategy focused on both user education and advanced technical controls.

Signal Acquired from → eSecurity Planet

Micro Crypto News Feeds

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

phishing

Definition ∞ Phishing, in the digital asset space, involves deceptive practices aimed at tricking individuals into divulging sensitive information, such as private keys or login credentials, typically through fraudulent communications.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

Tags:

Tags: