Security

Users Targeted by Lone None Stealer via Fake Copyright Phishing

Sophisticated phishing leverages DLL side-loading and clipboard hijacking, enabling silent cryptocurrency diversion and data exfiltration from unsuspecting users.
September 27, 20253 min

The image displays a high-fidelity rendering of a transparent device, revealing complex internal blue components and a prominent brushed metal surface. The device's outer shell is clear, showcasing the intricate design of its inner workings
A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Briefing

A Vietnamese threat group has escalated its phishing operations, deploying the “Lone None Stealer” and “PureLogs Stealer” through fake copyright infringement notices. This campaign utilizes DLL side-loading to compromise user endpoints, leading to the exfiltration of sensitive data and the diversion of cryptocurrency via clipboard hijacking. The attacker’s methods have been linked to dozens of active cryptocurrency wallets, underscoring a direct and quantifiable threat to digital asset holders.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Context

The digital asset landscape remains highly susceptible to social engineering tactics, where a lack of user vigilance combined with sophisticated malware deployment creates a persistent attack surface. Prior to this incident, a known class of vulnerability involved users inadvertently executing malicious code or approving transactions due to deceptive prompts, a risk amplified by the common practice of copy-pasting wallet addresses for transactions. This campaign leverages these foundational human and operational vulnerabilities.

A spherical object showcases white, granular elements resembling distributed ledger entries, partially revealing a vibrant blue, granular core. A central metallic component with concentric rings acts as a focal point on the right side, suggesting a sophisticated mechanism

Analysis

The incident’s technical mechanics initiate with a deceptive email, posing as a copyright takedown notice, that directs victims to download a malicious compressed archive. Upon execution, a DLL side-loading technique abuses legitimate Windows programs to install a Python installer, which then deploys obfuscated Python scripts. These scripts deliver two primary malware strains → PureLogs Stealer, designed for broad data exfiltration, and Lone None Stealer, which specifically targets cryptocurrency by monitoring the system clipboard and replacing legitimate wallet addresses with attacker-controlled ones during transactions. The threat actors further enhance stealth and resilience by utilizing Telegram bot profile pages for command-and-control infrastructure.

The image displays a series of white, geometrically designed blocks connected in a linear chain, featuring intricate transparent blue components glowing from within. Each block interlocks with the next via a central luminous blue conduit, suggesting active data transmission

Parameters

  • Victim Profile → Individual cryptocurrency users
  • Attack VectorPhishing, Social Engineering, Malware (DLL Side-loading, Clipboard Hijacking)
  • Malware Names → Lone None Stealer (PXA Stealer), PureLogs Stealer
  • Command & Control (C2) → Telegram bots
  • Targeted Assets → Bitcoin, Ethereum, Solana, Ripple, other digital assets
  • Initial Access → Fake copyright takedown notices via email
  • Date of Lone None Stealer First Observation → June 2025
  • Campaign Activity → Active since late 2024

The image displays a detailed close-up of a textured, blue surface with a fractured, ice-like pattern, featuring a prominent metallic, circular component with concentric rings on its left side. The background is a soft, out-of-focus grey

Outlook

Immediate mitigation requires heightened user scrutiny of all incoming communications, especially those demanding urgent action or containing unexpected attachments. Users must verify sender authenticity, avoid untrusted downloads, and double-check all copied wallet addresses before initiating transactions. Protocols and platforms should advocate for the widespread adoption of hardware wallets and implement robust client-side security education. This incident will likely drive further development in endpoint detection and response (EDR) solutions specifically tailored to detect evasive malware leveraging legitimate system processes and encrypted C2 channels.

This incident decisively underscores the critical and evolving threat posed by sophisticated social engineering combined with evasive malware, demanding a multi-layered defense strategy focused on both user education and advanced technical controls.

Signal Acquired from → eSecurity Planet

Micro Crypto News Feeds

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

phishing

Definition ∞ Phishing, in the digital asset space, involves deceptive practices aimed at tricking individuals into divulging sensitive information, such as private keys or login credentials, typically through fraudulent communications.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

Tags:

Tags: