- Cybercriminals exploit copyright fear to push malware into everyday online spaces
- Telegram bots now double as command hubs for evolving malware threats
- Fake legal firms deliver malware through takedown scams in multiple languages
Cybercriminals have long relied on fear as a way to manipulate victims, and copyright claims are proving to be one of the latest tools of choice.
Research by Cofense Intelligence found attackers are sending messages designed to look like legitimate takedown requests to multiple users.
However, the real intention of these messages is to deliver malware under the guise of legal pressure.
A campaign built on deception
The report outlined how a Vietnamese threat actor referred to as Lone None has been distributing campaigns that spoof legal firms, sending messages which claim to flag copyright-infringing content on the target’s website or social media account.
What makes this wave of activity notable is the use of multiple languages, suggesting reliance on machine translation or AI tools to generate convincing templates across regions.
Victims are pressured into following links, which, instead of solving an alleged copyright problem, lead to malware downloads.
The attack chain has several unusual features that distinguish it from more traditional phishing attempts.
Instead of relying on ordinary hosting methods, the operators have embedded payload information within Telegram bot profile pages.
From there, targets are steered toward archive files hosted on free platforms such as Dropbox or MediaFire.
Inside these archives, legitimate applications like PDF readers are bundled alongside malicious files.
The malware loader is disguised to resemble normal Windows processes, and it uses obfuscated Python scripts to establish persistence and fetch additional components.
Beyond the familiar PureLogs Stealer, Cofense reports the presence of a new malware strain named Lone None Stealer, also called PXA Stealer.
This tool is engineered to focus on cryptocurrency theft, quietly replacing copied wallet addresses with those controlled by the attackers.
Communication with the operators is handled through Telegram bots, keeping the infrastructure flexible and harder to disrupt.
Although the current campaigns emphasize information stealing, the methods used could just as easily deliver ransomware in future iterations.
While technical indicators such as unusual Python installations on a host can aid in detection, the most effective shield is still training and vigilance.
A combination of advanced email security tools and endpoint protection offers a strong defense, since filtering alone cannot fully prevent these copyright-spoofing campaigns.
