Security

Users Targeted by Lone None Stealer via Fake Copyright Phishing

Sophisticated phishing leverages DLL side-loading and clipboard hijacking, enabling silent cryptocurrency diversion and data exfiltration from unsuspecting users.
September 27, 20253 min

A detailed view showcases a futuristic, modular electronic component, predominantly in vibrant blue with black and silver accents, featuring intricate geometric patterns and raised sections. This visual metaphor represents the foundational architecture of advanced blockchain protocols and decentralized ledger technology
A glowing white orb sits at the core of a chaotic, yet structured, formation of dark blue and black crystalline shards. Electric blue liquid or energy erupts dynamically around the central sphere and crystalline matrix, suggesting explosive growth and transformation

Briefing

A Vietnamese threat group has escalated its phishing operations, deploying the “Lone None Stealer” and “PureLogs Stealer” through fake copyright infringement notices. This campaign utilizes DLL side-loading to compromise user endpoints, leading to the exfiltration of sensitive data and the diversion of cryptocurrency via clipboard hijacking. The attacker’s methods have been linked to dozens of active cryptocurrency wallets, underscoring a direct and quantifiable threat to digital asset holders.

A striking composition features a central cluster of sharp, faceted blue and clear crystals, radiating outwards, with a textured white crescent element attached to one side. The background is a blurred, dark blue with ethereal lighter wisps

Context

The digital asset landscape remains highly susceptible to social engineering tactics, where a lack of user vigilance combined with sophisticated malware deployment creates a persistent attack surface. Prior to this incident, a known class of vulnerability involved users inadvertently executing malicious code or approving transactions due to deceptive prompts, a risk amplified by the common practice of copy-pasting wallet addresses for transactions. This campaign leverages these foundational human and operational vulnerabilities.

A series of white, conical interface modules emerge from a light grey, grid-patterned wall, each surrounded by a dense, circular arrangement of dark blue, angular computational blocks. Delicate white wires connect these blue blocks to the central white module and the wall, depicting an intricate technological assembly

Analysis

The incident’s technical mechanics initiate with a deceptive email, posing as a copyright takedown notice, that directs victims to download a malicious compressed archive. Upon execution, a DLL side-loading technique abuses legitimate Windows programs to install a Python installer, which then deploys obfuscated Python scripts. These scripts deliver two primary malware strains → PureLogs Stealer, designed for broad data exfiltration, and Lone None Stealer, which specifically targets cryptocurrency by monitoring the system clipboard and replacing legitimate wallet addresses with attacker-controlled ones during transactions. The threat actors further enhance stealth and resilience by utilizing Telegram bot profile pages for command-and-control infrastructure.

The image displays a close-up of an intricate circuit board, featuring silver metallic blocks interspersed with glowing blue light emanating from beneath. A central, cube-like component is partially covered in snow, with a white, spherical object, also frosted, attached to its side

Parameters

  • Victim Profile → Individual cryptocurrency users
  • Attack VectorPhishing, Social Engineering, Malware (DLL Side-loading, Clipboard Hijacking)
  • Malware Names → Lone None Stealer (PXA Stealer), PureLogs Stealer
  • Command & Control (C2) → Telegram bots
  • Targeted Assets → Bitcoin, Ethereum, Solana, Ripple, other digital assets
  • Initial Access → Fake copyright takedown notices via email
  • Date of Lone None Stealer First Observation → June 2025
  • Campaign Activity → Active since late 2024

A futuristic, white and grey hexagonal module is centrally positioned, flanked by cylindrical components on either side. Bright blue, translucent energy streams in concentric rings connect these elements, converging on the central module, suggesting active data processing

Outlook

Immediate mitigation requires heightened user scrutiny of all incoming communications, especially those demanding urgent action or containing unexpected attachments. Users must verify sender authenticity, avoid untrusted downloads, and double-check all copied wallet addresses before initiating transactions. Protocols and platforms should advocate for the widespread adoption of hardware wallets and implement robust client-side security education. This incident will likely drive further development in endpoint detection and response (EDR) solutions specifically tailored to detect evasive malware leveraging legitimate system processes and encrypted C2 channels.

This incident decisively underscores the critical and evolving threat posed by sophisticated social engineering combined with evasive malware, demanding a multi-layered defense strategy focused on both user education and advanced technical controls.

Signal Acquired from → eSecurity Planet

Micro Crypto News Feeds

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

phishing

Definition ∞ Phishing, in the digital asset space, involves deceptive practices aimed at tricking individuals into divulging sensitive information, such as private keys or login credentials, typically through fraudulent communications.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

Tags:

Tags: