Cybercriminals use fake copyright notices to swap crypto wallet addresses

Cybercriminals are exploiting copyright fears to distribute malware through fake legal takedown notices, according to new research from Cofense Intelligence, a cybersecurity firm. The Vietnamese threat actor “Lone None” has been sending multilingual copyright violation messages that appear to come from legitimate law firms, but actually deliver malware when victims click on supposed “resolution” links.

Why this matters: This campaign represents a sophisticated evolution in social engineering tactics, leveraging people’s fear of copyright violations to bypass traditional security measures.

• Attackers are using AI tools and machine translation to create convincing takedown notices in multiple languages, expanding their global reach.
• Instead of traditional hosting methods, the criminals embed payload information within Telegram bot profile pages, making detection more difficult.
• Victims are directed to archive files on platforms like Dropbox or MediaFire that contain legitimate applications bundled with malicious code.

How the attack works: The malware delivery system uses several layers of deception to appear legitimate while establishing persistent access to victim systems.

• The malware loader disguises itself as normal Windows processes and uses obfuscated Python scripts to maintain persistence and fetch additional components.
• Beyond the known PureLogs Stealer, researchers identified a new strain called “Lone None Stealer” or “PXA Stealer” specifically designed for cryptocurrency theft.
• The malware quietly replaces copied cryptocurrency wallet addresses with attacker-controlled addresses, enabling silent theft of digital assets.

In plain English: When victims copy a cryptocurrency wallet address to send money, the malware secretly swaps it with the criminal’s address instead, redirecting the funds without the victim knowing until it’s too late.

The infrastructure advantage: Telegram bots serve as both communication channels and command hubs, creating a flexible and resilient attack infrastructure.

• This approach makes the operation harder to disrupt compared to traditional web-based command and control servers.
• The communication method allows operators to quickly adapt their tactics and maintain contact with infected systems.

The big picture: While current campaigns focus on information and cryptocurrency theft, the sophisticated delivery methods could easily be repurposed for ransomware attacks in future iterations.

• The use of copyright fears as a social engineering vector is particularly effective because legitimate copyright claims are common and create genuine urgency.
• The multilingual approach significantly expands the potential victim pool beyond English-speaking regions.

What to watch for: Security experts emphasize that technical solutions alone cannot fully prevent these copyright-spoofing campaigns.

• Unusual Python installations on systems can serve as technical indicators of compromise.
• The most effective defense combines advanced email security tools, endpoint protection, and user education about recognizing fake legal notices.
• Organizations should train employees to verify copyright claims through official channels before clicking on any links or downloading files.