Category: Cybersecurity

Malware Campaign Using Copyright Takedown Claims

A malware campaign by the Lone None threat actor group has utilized fraudulent copyright infringement notices to deploy malware. This campaign, monitored since November 2024, exploits social engineering tactics to bypass security measures.

The operation involves spoofed email communications that mimic legal firms, alleging copyright violations on victims’ Facebook pages or websites. These emails reference actual Facebook accounts, enhancing their credibility.

The threat actors employ email templates in ten languages, including English, French, German, Korean, Chinese, and Thai, likely using machine translation to widen their reach.

Analysts at Cofense identified this campaign as particularly dangerous due to its delivery of two malware payloads: Pure Logs Stealer and Lone None Stealer, also known as PXA Stealer.

The campaign also uses Telegram bot profiles to store payload URLs and legitimate programs like Haihaisoft PDF Reader to evade detection. Victims receive emails with links redirecting through URL shortening services to file-sharing platforms like Dropbox and MediaFire.

The archive files contain legitimate documents and malicious components, masking their true intent.

Advanced Infection Mechanism and Payload Delivery

The malware campaign exhibits sophisticated multi-stage infection processes. Upon clicking a malicious link, victims download an archive file containing a legitimate program, repurposed to load a malicious DLL functioning as a Python installer.

The infection chain uses legitimate Windows utilities to decode and execute the final payload. The malicious DLL exploits certutil.exe to decode a disguised archive file.

The following command illustrates this technique:

cmd /c cd _ && start Document.pdf && certutil -decode Document.pdf Invoice.pdf && images.png x -ibck -y Invoice.pdf C:\Users\Public

After decoding, the campaign uses a bundled WinRAR executable to extract contents to C:\Users\Public, allowing write access without administrative privileges and persistence across sessions.

The Python installation includes a malicious interpreter executable named “svchost.exe,” executing obfuscated scripts to communicate with Telegram bot infrastructure. The malware maintains persistence through Windows registry modifications, creating startup entries in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The campaign’s use of Telegram bots for payload delivery and command-and-control infrastructure signifies a tactical evolution, leveraging legitimate platforms to evade detection.