Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer

A Vietnamese hacking group known as Lone None is running an online scam campaign that has been active since at least November 2024. The campaign focuses on stealing personal and financial information, especially cryptocurrency.

Cybersecurity research firm Cofense Intelligence has been tracking this threat actor’s movements and shared their analysis with Hackread.com.

****The Face Copyright Notice****

The attacks begin with a fake email of an official legal notice from different law firms across the world, telling the recipient to take down copyrighted content from their website or social media, sometimes even naming the recipient’s real Facebook account.

Fake Take Down notice (Image credit: Cofense Intelligence)

These messages are sent in around ten different languages, including English, French, German, and Chinese, suggesting the criminals’ aim to expand their reach. The emails contain a link that, when clicked, leads to a downloaded archive (like a ZIP file). This archive contains the malware, which is cleverly disguised as evidence documents such as PDFs or PNGs.

To execute the malware, the attackers use DLL side-loading, which allows them to abuse a legitimate, signed program (like a trusted Microsoft Word or PDF reader executable) to secretly run their malicious code and bypass standard security checks.

Attack Flow (Image credit: Cofense Intelligence)

****Malware Deployment****

The campaign delivers two types of information stealers: Pure Logs Stealer and the newer Lone None Stealer (aka PXA Stealer). Pure Logs steals a wide range of sensitive data, including passwords, credit card numbers, session cookies, and local crypto wallet files saved in a victim’s browsers and computers.

The Lone None Stealer, however, focuses on stealing cryptocurrency. It monitors the victim’s clipboard (the place where copied text is temporarily stored) and, if a crypto-wallet address is copied, the malware quietly replaces it with the criminal’s address. This means if a victim tries to send money by copying and pasting a wallet address, the funds go straight to the hacker instead.

In its blog post, Cofense Intelligence noted that Lone None Stealer has been found in nearly a third (29%) of all recent reports involving the older Pure Logs Stealer since June 2025, indicating its growing use.

****Evasive C2****

This scam involves a unique staging technique where the actor hides the address for the next step of the attack within a Telegram bot profile page. Moreover, Lone None Stealer uses the Telegram network as its primary Command and Control (C2) channel, rapidly sending back all the collected data to the hackers.

Since this scam plays directly on the fear of an urgent legal dispute, it is important to recognise the signs of a fake email. Never click links or download files from unexpected sources, as this simple precaution remains the best security against such scams.