Threat Actor’s Using Copyright Takedown Claims to Deploy Malware

A sophisticated malware campaign orchestrated by the Vietnamese Lone None threat actor group has been leveraging fraudulent copyright infringement takedown notices to deploy information-stealing malware onto unsuspecting victims’ systems.

The campaign, which has been actively tracked since November 2024, represents a concerning evolution in social engineering tactics that exploits legitimate legal concerns to bypass traditional security awareness measures.

The malicious operation centers around spoofed email communications that impersonate various legal firms from around the world, claiming copyright violations on victims’ Facebook pages or websites.

These carefully crafted emails reference real Facebook accounts belonging to the recipients, adding an alarming level of authenticity that increases the likelihood of successful deception.

The threat actors have demonstrated remarkable linguistic versatility, creating email templates in at least ten different languages including English, French, German, Korean, Chinese, and Thai, likely utilizing machine translation tools to expand their global reach.

Cofense analysts identified this campaign as particularly dangerous due to its delivery of two primary malware payloads: Pure Logs Stealer and a newly discovered information stealer dubbed Lone None Stealer, also known as PXA Stealer.

The campaign’s sophistication extends beyond traditional malware distribution, employing novel techniques such as using Telegram bot profiles to store payload URLs and leveraging legitimate programs like Haihaisoft PDF Reader to evade detection mechanisms.

The attack chain begins with victims receiving copyright takedown emails containing embedded links that redirect through URL shortening services like tr.ee and goo.su before ultimately leading to file-sharing platforms such as Dropbox and MediaFire.

These archive files contain a mixture of legitimate documents alongside malicious components, creating a facade of authenticity while hiding the true malicious intent.

Advanced Infection Mechanism and Payload Delivery

The technical execution of this malware campaign demonstrates remarkable sophistication in its multi-stage infection process.

Upon clicking the malicious link, victims download an archive file containing a legitimate program, typically Haihaisoft PDF Reader, which has been maliciously repurposed to load a malicious DLL functioning as a Python installer.

The infection chain progresses through a carefully orchestrated sequence of legitimate Windows utilities to decode and execute the final payload.

The malicious DLL exploits the built-in Windows utility certutil.exe, originally designed for certificate management, to decode an archive file that masquerades as a PDF document but contains the actual malware components.

The following command demonstrates this technique:-

cmd /c cd _ && start Document.pdf && certutil -decode Document.pdf Invoice.pdf && images.png x -ibck -y Invoice.pdf C:\Users\Public

Following successful decoding, the campaign utilizes a bundled WinRAR executable, deceptively named “images.png,” to extract the decoded archive contents to the C:UsersPublic directory.

This location choice is strategic, as it provides write access without requiring administrative privileges while maintaining persistence across user sessions.

The extracted Python installation includes a malicious interpreter executable named “svchost.exe” that executes obfuscated Python scripts designed to establish communication with Telegram bot command and control infrastructure.

The malware achieves persistence through Windows registry modifications, specifically creating startup entries in HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun to ensure continued execution after system reboots.

The complete execution flowchart for the average Lone None Stealer sample, demonstrating the complex multi-stage process from initial infection through final payload deployment.

The campaign’s use of Telegram bots as both payload delivery mechanisms and command-and-control infrastructure represents a significant tactical evolution, allowing threat actors to maintain operational security while leveraging legitimate communication platforms to avoid traditional network detection methods.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.