Lone None Threat Group Deploys New Stealers via Fake Copyright Takedown Notices
Since November 2024, the Lone None threat actor group has been orchestrating a sophisticated email campaign distributing two information stealers: Pure Logs Stealer and the newly identified Lone None Stealer (PXA Stealer). The campaign spoofs legal firms worldwide, using copyright infringement takedown notices as lures to trick recipients into executing malicious payloads.
The emails, written in at least ten languages likely via machine translation or AI reference authentic Facebook accounts of victims to enhance credibility. Embedded links, often shortened via t[.]ee or g[.]su, redirect to free file-hosting services like Dropbox and MediaFire, where victims download an archive disguised as a PDF reader installer.
In reality, the archive contains a repurposed Haihaisoft PDF Reader executable, a malicious DLL acting as a Python installer, legitimate documents, and files with mismatched extensions. Upon execution, the loader uses Windows certutil.exe to decode a disguised PDF archive, saving it under a different extension. A bundled WinRAR executable (renamed "images.png") extracts the decoded files into C:\Users\Public.
The malicious DLL then launches a staged Python interpreter (svchost.exe), installing Python in the same directory and executing an obfuscated script. The script communicates with a Telegram bot C2 channel, where part of a paste[.]rs URL is stored in the bot’s bio. The script reconstructs the URL to fetch a secondary payload from 0x0[.]st, delivering either Pure Logs Stealer or Lone None Stealer.
Both stealers employ Base64/Base85 encoding and AES encryption to evade detection. Lone None Stealer specifically targets cryptocurrency by monitoring the Windows clipboard for wallet addresses, replacing them with actor-controlled wallets for Bitcoin, Ethereum, and Solana. Observed wallet addresses include:
- Bitcoin:
1DPguuHEophw6rvPZZkjBA3d8Z9ntCqm1L - Ethereum:
0xd38c3fc36ee1d0f4c4ddaeebb72e5ce2d5e7646c - Solana:
GQwKEEi49iKywE8ycnFsxRhxJTVf6YsoJb2vAFigc8
Earlier variants delivered XWorm and DuckTail, but recent attacks have streamlined to focus on Pure Logs Stealer’s RAT capabilities and Lone None Stealer’s cryptocurrency theft. Persistence is maintained via a registry Run key pointing to the staged Python interpreter.
Defenders are advised to monitor for clandestine Python installations in C:\Users\Public\Windows, suspicious Run key entries, and anomalous executions of certutil.exe and WinRAR with renamed files. The campaign underscores the evolving tactics of threat actors in leveraging social engineering and unconventional C2 channels to distribute malware.
Source: https://cyberpress.org/copyright-takedown-malware/
Facebook TPRM report: https://www.rankiteo.com/company/Facebook
Dropbox TPRM report: https://www.rankiteo.com/company/Dropbox
MediaFire TPRM report: https://www.rankiteo.com/company/mediafire.com
"id": "FacDromed1768636787",
"linkid": "Facebook, Dropbox, mediafire.com",
"type": "Cyber Attack",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global',
'type': 'Individuals/Organizations'}],
'attack_vector': 'Phishing (Email)',
'data_breach': {'data_encryption': 'AES Encryption (for payload delivery)',
'data_exfiltration': 'Yes (via Telegram bot C2 channel)',
'file_types_exposed': ['PDF', 'DLL', 'Python Scripts'],
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Cryptocurrency Wallet Addresses',
'Sensitive Documents']},
'date_detected': '2024-11-01',
'description': 'Since November 2024, the Lone None threat actor group has '
'been orchestrating a sophisticated email campaign '
'distributing two information stealers: Pure Logs Stealer and '
'the newly identified Lone None Stealer (PXA Stealer). The '
'campaign spoofs legal firms worldwide, using copyright '
'infringement takedown notices as lures to trick recipients '
'into executing malicious payloads. The emails reference '
'authentic Facebook accounts of victims to enhance credibility '
'and redirect victims to free file-hosting services like '
'Dropbox and MediaFire to download a malicious archive '
'disguised as a PDF reader installer.',
'impact': {'data_compromised': 'Personally Identifiable Information, '
'Cryptocurrency Wallet Addresses, Sensitive '
'Documents',
'identity_theft_risk': 'High',
'payment_information_risk': 'High (Cryptocurrency)',
'systems_affected': 'Windows Systems'},
'initial_access_broker': {'backdoors_established': 'Python-based persistence '
'via registry Run key',
'entry_point': 'Phishing Email (Fake Copyright '
'Takedown Notices)',
'high_value_targets': 'Cryptocurrency Users'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The campaign underscores the evolving tactics of threat '
'actors in leveraging social engineering and '
'unconventional C2 channels (e.g., Telegram bots) to '
'distribute malware. Defenders should monitor for unusual '
'Python installations and anomalous tool executions.',
'motivation': 'Financial Gain (Cryptocurrency Theft)',
'post_incident_analysis': {'corrective_actions': ['Implement email filtering '
'to block phishing lures',
'Restrict execution of '
'unsigned or suspicious '
'Python scripts',
'Monitor for unusual '
'registry modifications and '
'tool executions'],
'root_causes': ['Social engineering (phishing '
'emails with fake legal notices)',
'Use of legitimate file-hosting '
'services (Dropbox, MediaFire) to '
'deliver malware',
'Abuse of Windows utilities '
'(certutil.exe, WinRAR) for '
'malicious purposes']},
'recommendations': ['Monitor for clandestine Python installations in '
'C:\\Users\\Public\\Windows',
'Check for suspicious Run key entries in the Windows '
'registry',
'Detect anomalous executions of certutil.exe and WinRAR '
'with renamed files',
'Block or monitor access to known malicious domains '
'(e.g., t[.]ee, g[.]su, 0x0[.]st)',
'Educate users on identifying phishing emails, especially '
'those impersonating legal notices'],
'references': [{'source': 'Cybersecurity Report'}],
'response': {'enhanced_monitoring': 'Monitor for clandestine Python '
'installations in '
'C:\\Users\\Public\\Windows, suspicious '
'Run key entries, and anomalous '
'executions of certutil.exe and WinRAR '
'with renamed files'},
'threat_actor': 'Lone None',
'title': 'Lone None Threat Group Deploys New Stealers via Fake Copyright '
'Takedown Notices',
'type': 'Malware Campaign'}