- Cybercounts exploit the fear of copyright to push malware to online spaces every day
- Telegram bots now double as command centers to evolve malware threats
- False legal signatures deliver malware through demolition scams in several languages
Cybercounts have long trusted fear as a way of manipulating victims, and copyright statements are demonstrating to be one of the latest choice tools.
Cofense Intelligence research discovered that the attackers are sending messages designed to look like legitimate applications for demolition to multiple users.
However, the true intention of these messages is to deliver malware under the appearance of legal pressure.
A campaign based on deception
The report described how a Vietnamese threat actor referred to as a lonely, none has been distributing campaigns that falsify legal signatures, sending messages that claim to mark the content of copyright on the website or the social networks account of the objective.
What makes this wave of activity notable is the use of multiple languages, which suggests the dependence of automatic translation or AI tools to generate convincing templates in all regions.
The victims are pressed for the following links, which, instead of solving an alleged copyright problem, lead to malware downloads.
The attack chain has several unusual characteristics that distinguish it from the most traditional phishing attempts.
Instead of trusting ordinary accommodation methods, operators have integrated payload information within Bot Telegram’s profile pages.
From there, the objectives are directed towards file files housed on free platforms such as Dropbox or Mediafire.
Within these files, legitimate applications such as PDF readers are grouped together with malicious files.
The malware charger is disguised as the normal Windows processes, and uses obfuscated python scripts to establish persistence and obtain additional components.
Beyond the well -known Purelogs robber, Cofense informs the presence of a new malware strain called Lone None Stealer, also called Pxa Stealer.
This tool is designed to focus on cryptocurrency theft, silently replacing the wallet addresses copied with those controlled by the attackers.
Communication with operators is handled through telegram bots, maintaining flexible and more difficult infrastructure to interrupt.
Although current campaigns emphasize the theft of information, the methods used could easily deliver ransomware in future iterations.
While technical indicators such as unusual Python facilities in a host can help in detection, the most effective shield remains training and surveillance.
A combination of advanced email security tools and end point protection offers a solid defense, since the filtering alone cannot completely avoid these campaigns of copyright dispossession.
