Vietnamese Hackers Exploit Fake Copyright Notices to Spread ‘Lone None’ Stealer

A Vietnamese threat group has been running a sophisticated phishing campaign since late 2024, using fake copyright takedown notices to trick victims into installing malware. 

The operation, uncovered by Cofense Intelligence, has recently evolved with the introduction of a new information stealer — dubbed Lone None Stealer — that specifically targets cryptocurrency.

Initial access

The scam begins with emails posing as official takedown requests from law firms around the world. 

The messages accuse the recipient of copyright infringement and demand the removal of offending content from a website or social media page. In some cases, the emails even reference real Facebook accounts owned by the target to increase credibility.

To broaden their reach, the attackers send these messages in at least 10 languages, including English, French, German, Chinese, and Korean. The emails include a link that leads to a compressed archive (such as a ZIP file). Inside are seemingly legitimate files — PDFs or images — that actually contain malware.

Malware delivery 

Once the victim opens the archive, the attack relies on DLL side-loading.

This technique abuses a legitimate, signed program (for example, Microsoft Word or a PDF reader) to secretly load a malicious dynamic link library (DLL). By hiding within trusted applications, the malware evades traditional security defenses.

The archives often contain legitimate documents alongside payload files with misleading extensions. Attackers have even bundled programs like Haihaisoft PDF Reader to cloak their operations. The malicious DLL acts as a Python installer, which uses built-in Windows tools such as certutil.exe and bundled WinRAR files to extract and run obfuscated Python scripts.

The campaign delivers two distinct types of malware:

• PureLogs Stealer – A more established tool that extracts a wide range of sensitive information, including passwords, credit card numbers, session cookies, and crypto wallet data saved on victims’ devices.
• Lone None Stealer (PXA Stealer) – A newer strain, first observed in June 2025, that focuses on cryptocurrency theft. It uses Clipboard hijacking, where the malware monitors the system clipboard and swaps out copied wallet addresses with ones controlled by the attackers. As a result, when victims attempt to transfer funds, the money is diverted to the threat actors’ wallets.

Since its discovery, Lone None Stealer has appeared in nearly one-third (29%) of reports involving Pure Logs Stealer, suggesting its rapid adoption by the threat group.

The unlikely control center

One of the campaign’s most notable tactics is its abuse of Telegram for command-and-control (C2). Instead of relying on traditional C2 servers, Lone None hides instructions and payload links inside Telegram bot profile pages.

Here’s how it works:

1. The malware reaches out to a Telegram bot.
2. The bot’s profile bio contains fragments of URLs leading to the next payload.
3. Additional scripts are fetched from services like Paste[.]rs or 0x0[.]st, further complicating detection.

The use of Telegram provides stealth and resiliency, making it harder for defenders to block the operation.

Evolving tactics  

Since November 2024, Cofense researchers have observed the Lone None group refine its attack methods:

• Early campaigns delivered a mix of information stealers and remote access trojans (RATs). More recent iterations focus primarily on Pure Logs and Lone None Stealer.
• The malware payloads employ multiple layers of obfuscation, including Base64/Base85 encoding and AES encryption, to bypass automated analysis.
• Attackers leverage free file-sharing platforms like Dropbox and MediaFire to host infected archives.

Despite these technical upgrades, the phishing emails themselves have changed little. The consistent lure — a fake legal threat referencing a real online account — continues to be effective.

Beyond login credentials and credit cards, Lone None Stealer has been linked to dozens of active cryptocurrency wallets across Bitcoin, Ethereum, Solana, Ripple, and other digital assets. Clipboard hijacking means any user who copies and pastes a wallet address while transferring funds could unknowingly send money straight to the attacker.

Mitigation recommendations

Threat actors behind the Lone None campaign use fear, technical tricks, and evasive malware to steal data and crypto, but a layered defense can reduce risk.

• Scrutinize emails: Verify takedown notices, check domains, and spot translation or urgency red flags.
• Don’t trust links/files: Avoid untrusted downloads; use sandboxing or IT support for checks.
• Watch for odd installs: Flag unusual Python folders, renamed executables, or suspicious registry entries.
• Block side-loading/tool abuse: Use allowlisting, watch DLL activity, and restrict tools like certutil.exe.
• Filter network threats: Monitor Telegram traffic, block short links/file shares, and apply IOC feeds.
• Protect crypto/users: Double-check wallet addresses, use hardware wallets, and run phishing drills.

By spoofing legal threats and exploiting trusted platforms like Telegram, this Vietnamese hacking group has created a highly evasive phishing campaign.

By combining user vigilance with strong technical controls, organizations can mitigate this campaign’s impact and stay ahead of evolving phishing threats.