Cybercriminals are exploiting copyright fears to distribute malware through fake legal takedown notices, according to new research from Cofense Intelligence, a cybersecurity firm. The Vietnamese threat actor “Lone None” has been sending multilingual copyright violation messages that appear to come from legitimate law firms, but actually deliver malware when victims click on supposed “resolution” links.
Why this matters: This campaign represents a sophisticated evolution in social engineering tactics, leveraging people’s fear of copyright violations to bypass traditional security measures.
- Attackers are using AI tools and machine translation to create convincing takedown notices in multiple languages, expanding their global reach.
- Instead of traditional hosting methods, the criminals embed payload information within Telegram bot profile pages, making detection more difficult.
- Victims are directed to archive files on platforms like Dropbox or MediaFire that contain legitimate applications bundled with malicious code.
How the attack works: The malware delivery system uses several layers of deception to appear legitimate while establishing persistent access to victim systems.
- The malware loader disguises itself as normal Windows processes and uses obfuscated Python scripts to maintain persistence and fetch additional components.
- Beyond the known PureLogs Stealer, researchers identified a new strain called “Lone None Stealer” or “PXA Stealer” specifically designed for cryptocurrency theft.
- The malware quietly replaces copied cryptocurrency wallet addresses with attacker-controlled addresses, enabling silent theft of digital assets.
In plain English: When victims copy a cryptocurrency wallet address to send money, the malware secretly swaps it with the criminal’s address instead, redirecting the funds without the victim knowing until it’s too late.
The infrastructure advantage: Telegram bots serve as both communication channels and command hubs, creating a flexible and resilient attack infrastructure.
- This approach makes the operation harder to disrupt compared to traditional web-based command and control servers.
- The communication method allows operators to quickly adapt their tactics and maintain contact with infected systems.
The big picture: While current campaigns focus on information and cryptocurrency theft, the sophisticated delivery methods could easily be repurposed for ransomware attacks in future iterations.
- The use of copyright fears as a social engineering vector is particularly effective because legitimate copyright claims are common and create genuine urgency.
- The multilingual approach significantly expands the potential victim pool beyond English-speaking regions.
What to watch for: Security experts emphasize that technical solutions alone cannot fully prevent these copyright-spoofing campaigns.
- Unusual Python installations on systems can serve as technical indicators of compromise.
- The most effective defense combines advanced email security tools, endpoint protection, and user education about recognizing fake legal notices.
- Organizations should train employees to verify copyright claims through official channels before clicking on any links or downloading files.
Recent Stories
DOE fusion roadmap targets 2030s commercial deployment as AI drives $9B investment
The Department of Energy has released a new roadmap targeting commercial-scale fusion power deployment by the mid-2030s, though the plan lacks specific funding commitments and relies on scientific breakthroughs that have eluded researchers for decades. The strategy emphasizes public-private partnerships and positions AI as both a research tool and motivation for developing fusion energy to meet data centers' growing electricity demands. The big picture: The DOE's roadmap aims to "deliver the public infrastructure that supports the fusion private sector scale up in the 2030s," but acknowledges it cannot commit to specific funding levels and remains subject to Congressional appropriations. Why...
Oct 17, 2025Tying it all together: Credo’s purple cables power the $4B AI data center boom
Credo, a Silicon Valley semiconductor company specializing in data center cables and chips, has seen its stock price more than double this year to $143.61, following a 245% surge in 2024. The company's signature purple cables, which cost between $300-$500 each, have become essential infrastructure for AI data centers, positioning Credo to capitalize on the trillion-dollar AI infrastructure expansion as hyperscalers like Amazon, Microsoft, and Elon Musk's xAI rapidly build out massive computing facilities. What you should know: Credo's active electrical cables (AECs) are becoming indispensable for connecting the massive GPU clusters required for AI training and inference. The company...
Oct 17, 2025Vatican launches Latin American AI network for human development
The Vatican hosted a two-day conference bringing together 50 global experts to explore how artificial intelligence can advance peace, social justice, and human development. The event launched the Latin American AI Network for Integral Human Development and established principles for ethical AI governance that prioritize human dignity over technological advancement. What you should know: The Pontifical Academy of Social Sciences, the Vatican's research body for social issues, organized the "Digital Rerum Novarum" conference on October 16-17, combining academic research with practical AI applications. Participants included leading experts from MIT, Microsoft, Columbia University, the UN, and major European institutions. The conference...