Threat actors from the Lone None group are exploiting copyright takedown notices to distribute sophisticated malware, including Pure Logs Stealer and a newly identified information stealer dubbed Lone None Stealer (also known as PXA Stealer).
This analysis examines the campaign’s tactics, techniques, and procedures (TTPs), highlights key indicators of compromise (IOCs), and underscores how Lone None continues to innovate its attack chain.
The campaign begins with spoofed takedown requests purporting to come from legitimate legal firms worldwide.
Emails reference real Facebook accounts operated by the target, adding credibility despite their fraudulent claims.
Cofense Intelligence has tracked this campaign since November 2024, noting its evolution across multiple iterations and the novel use of obfuscated Python installers, Telegram bots, and machine-translated email templates.
Templates appear in at least ten languages—English, French, German, Korean, Chinese, Thai, and more—likely generated via AI translation or machine-translation services.
Embedded within these emails are shortened links (using tr[.]ee and goo[.]su) that redirect to archives hosted on services like Dropbox or MediaFire.
Upon download, recipients extract an archive containing repurposed legitimate applications (commonly Haihaisoft PDF Reader) alongside mismatched file-extension payloads.
A malicious DLL masquerading as a loader uses Windows’ certutil.exe to decode a disguised “Document.pdf” into “Invoice.pdf,” then invokes a bundled WinRAR executable (disguised as images.png) to extract payloads to C:UsersPublic.
Finally, a renamed Python interpreter (svchost.exe) installs into C:UsersPublicWindows and executes an embedded script (images.png) to establish persistence via a registry key.
This staged approach masks malicious code within legitimate processes and leverages built-in utilities to evade heuristic and sandbox detection.
Cryptocurrency Clipboard Hijacker
A standout feature of this campaign is Lone None Stealer, an information stealer tailored to hijack cryptocurrency transactions.
The stealer monitors the Windows clipboard for patterns matching cryptocurrency address formats. When a victim copies a wallet address (Bitcoin, Ethereum, Ripple, Solana, and more), the malware silently replaces it with an attacker-controlled address—such as 1DPguuHEophw6rvPZZkjBA3d8Z9ntCqm1L for Bitcoin.
Upon replacement, the malware sends a summary message to a Telegram bot C2, reporting the compromised host name and both original and replaced addresses.
This bot-based C2 mechanism is novel: the initial payload URL is stored in the bio of a Telegram bot profile, retrievable via HTTPS.
The script then downloads additional payloads from a paste[.]rs link (e.g., paste[.]rs/RWqFD) and further modules from 0x0[.]st. Payloads feature multiple obfuscation layers—Base64 or Base85 text encoding and AES encryption—primarily to thwart automated sandbox analysis rather than alter core functionality.
Since June 2025, Lone None Stealer has appeared in 29% of active threat reports containing Pure Logs Stealer, marking it as a significant evolution in the actor’s operational capabilities.
Defensive Considerations
Early instances of the campaign deployed simpler payloads—XWorm RAT, DuckTail stealer, and custom Py-based stealers—delivered via similar legal-themed lures.
ATR 378532 used a rudimentary Python installer to drop Pure Logs Stealer and the XWorm RAT, while ATR 377263 introduced DuckTail alongside early variants of Lone None Stealer.
Over time, the group phased out RATs in favor of modular, Python-based loaders and focused on information theft, likely because recent Pure Logs Stealer variants include remote control functionality (“PureHVNC”).
Defenders should note the consistent email lure structure: tailored copyright infringement notices spoofing legal entities and referencing genuine social media accounts.
On the endpoint, indicators include unusual certutil.exe decode commands, bundled WinRAR executables named as innocuous images, Python interpreters masquerading as svchost.exe in user-writable directories, and registry entries for persistence.
Network defenders should monitor outbound connections to Telegram bot APIs and file-sharing domains as well as paste[.]rs and 0x0[.]st fetches.
By combining social engineering with legitimate tools and innovative C2 channels, Lone None demonstrates that email lures need minimal changes to remain effective, while payload complexity steadily increases.
Security teams should reinforce user awareness around unsolicited takedown notices and implement application whitelisting, command-line monitoring, and network egress filtering to disrupt this evolving threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
