Skip to main content
Security

Users Targeted by Lone None Stealer via Fake Copyright Phishing

Sophisticated phishing leverages DLL side-loading and clipboard hijacking, enabling silent cryptocurrency diversion and data exfiltration from unsuspecting users.
September 27, 20253 min

The image displays three translucent, geometric objects embedded in a textured white, granular substance against a grey background. A central rectangular blue object is flanked by two clear, rounded objects, all appearing to be interconnected
A metallic, cubic device with transparent blue accents and a white spherical component is partially submerged in a reflective, rippled liquid, while a vibrant blue, textured, frosty substance envelops one side. The object appears to be a sophisticated hardware wallet, designed for ultimate digital asset custody through advanced cold storage mechanisms

Briefing

A Vietnamese threat group has escalated its phishing operations, deploying the “Lone None Stealer” and “PureLogs Stealer” through fake copyright infringement notices. This campaign utilizes DLL side-loading to compromise user endpoints, leading to the exfiltration of sensitive data and the diversion of cryptocurrency via clipboard hijacking. The attacker’s methods have been linked to dozens of active cryptocurrency wallets, underscoring a direct and quantifiable threat to digital asset holders.

A close-up view reveals a dense array of interconnected electronic components and cables, predominantly in shades of blue, silver, and dark grey. The detailed hardware suggests a sophisticated data processing or networking system, with multiple connectors and circuit-like structures visible

Context

The digital asset landscape remains highly susceptible to social engineering tactics, where a lack of user vigilance combined with sophisticated malware deployment creates a persistent attack surface. Prior to this incident, a known class of vulnerability involved users inadvertently executing malicious code or approving transactions due to deceptive prompts, a risk amplified by the common practice of copy-pasting wallet addresses for transactions. This campaign leverages these foundational human and operational vulnerabilities.

A series of white, conical interface modules emerge from a light grey, grid-patterned wall, each surrounded by a dense, circular arrangement of dark blue, angular computational blocks. Delicate white wires connect these blue blocks to the central white module and the wall, depicting an intricate technological assembly

Analysis

The incident’s technical mechanics initiate with a deceptive email, posing as a copyright takedown notice, that directs victims to download a malicious compressed archive. Upon execution, a DLL side-loading technique abuses legitimate Windows programs to install a Python installer, which then deploys obfuscated Python scripts. These scripts deliver two primary malware strains ∞ PureLogs Stealer, designed for broad data exfiltration, and Lone None Stealer, which specifically targets cryptocurrency by monitoring the system clipboard and replacing legitimate wallet addresses with attacker-controlled ones during transactions. The threat actors further enhance stealth and resilience by utilizing Telegram bot profile pages for command-and-control infrastructure.

A sleek, rectangular device, crafted from polished silver-toned metal and dark accents, features a transparent upper surface revealing an intricate internal mechanism glowing with electric blue light. Visible gears and precise components suggest advanced engineering within this high-tech enclosure

Parameters

  • Victim Profile ∞ Individual cryptocurrency users
  • Attack VectorPhishing, Social Engineering, Malware (DLL Side-loading, Clipboard Hijacking)
  • Malware Names ∞ Lone None Stealer (PXA Stealer), PureLogs Stealer
  • Command & Control (C2) ∞ Telegram bots
  • Targeted Assets ∞ Bitcoin, Ethereum, Solana, Ripple, other digital assets
  • Initial Access ∞ Fake copyright takedown notices via email
  • Date of Lone None Stealer First Observation ∞ June 2025
  • Campaign Activity ∞ Active since late 2024

A close-up view reveals a high-tech device featuring a silver-grey metallic casing with prominent dark blue internal components and accents. A central, faceted blue translucent element glows brightly, suggesting active processing or energy flow within the intricate machinery

Outlook

Immediate mitigation requires heightened user scrutiny of all incoming communications, especially those demanding urgent action or containing unexpected attachments. Users must verify sender authenticity, avoid untrusted downloads, and double-check all copied wallet addresses before initiating transactions. Protocols and platforms should advocate for the widespread adoption of hardware wallets and implement robust client-side security education. This incident will likely drive further development in endpoint detection and response (EDR) solutions specifically tailored to detect evasive malware leveraging legitimate system processes and encrypted C2 channels.

This incident decisively underscores the critical and evolving threat posed by sophisticated social engineering combined with evasive malware, demanding a multi-layered defense strategy focused on both user education and advanced technical controls.

Signal Acquired from ∞ eSecurity Planet

Micro Crypto News Feeds

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

phishing

Definition ∞ Phishing, in the digital asset space, involves deceptive practices aimed at tricking individuals into divulging sensitive information, such as private keys or login credentials, typically through fraudulent communications.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

Tags:

Tags: