Malicious software running Python seized vast amounts of credit card details, passwords, and cookies numbering over 4 million.
Breaking News: PXA Stealer Infostealer Campaign Expands its Reach
A new variant of the PXA Stealer infostealer, first documented by Cisco Talos in November 2024, has been found to be active in ongoing campaigns. This variant, operated by Vietnamese-speaking cybercriminal groups, is leveraging the Telegram platform for command-and-control (C2) and resale purposes.
How the PXA Stealer Campaign Operates:
The attackers use phishing and social engineering techniques to deliver malicious ZIP files or archives, often disguised as legitimate file types such as PDF or PNG. These packages contain legitimate signed software like Haihaisoft PDF Reader or Microsoft Word 2013, bundled with malicious sideloaded DLLs to evade detection. Upon execution, the malware installs a Python interpreter and deploys the PXA Stealer payload, written in Python and compiled with Nuitka, designed for runtime unpacking and evasion.
Data Theft and Exfiltration:
PXA Stealer exfiltrates a broad range of sensitive data from infected machines, including passwords and browser autofill data, session cookies (over 4 million stolen), cryptocurrency wallet information, financial application data, screenshots, data from apps like Discord, Telegram, Steam, and various web browsers. The stolen data is automatically sent to attacker-controlled Telegram bots and aggregated within underground marketplaces like Sherlock, enabling further criminal use such as account takeover, cryptocurrency theft, or organization infiltration.
Global Impact:
This operation is active globally, with identified victims from at least 62 countries including the United States, South Korea, the Netherlands, Austria, Hungary, Japan, India, the Philippines, and Germany. Over 4,000 unique victim IPs have been observed, and the campaign continues to evolve rapidly with enhanced evasion and delivery techniques.
Layered Evasion Tactics:
The campaign exemplifies a new paradigm where cybercriminals weaponize legitimate infrastructure such as Telegram, Dropbox, and Cloudflare Workers for malware delivery, control, and monetization, reducing operational cost and complexity. In the new variant, the attackers also target users' databases and configuration files for cryptocurrency apps and VPNs, plus website-specific data from Google Ads, Coinbase, Kraken, PayPal, and other financial services.
In summary, Vietnamese-speaking hackers operate the PXA Stealer campaign by using layered evasion tactics and Telegram-based automation to steal and monetize sensitive data from thousands of global victims across multiple countries through a sophisticated pipeline of phishing, sideloading legitimate software, and real-time data resale on underground marketplaces.
[1] SentinelLabs and Beazley Security detailed their findings in a Monday report. [2] More details can be found in the original Cisco Talos report from November 2024. [3] Further information can be found in the latest report from the Cybersecurity and Infrastructure Security Agency (CISA). [4] For a comprehensive analysis, refer to the report by Malwarebytes Labs. [5] The attackers' use of legitimate infrastructure for malicious purposes was highlighted in a report by Kaspersky.
- The expanding PXA Stealer infostealer campaign, which operates using layered evasion tactics and Telegram-based automation, has been found to be leveraging AI and software like Haihaisoft PDF Reader or Microsoft Word 2013 to infiltrate databases and steal sensitive data.
- The stolen data, consisting of passwords, browser autofill data, cryptocurrency wallet information, financial application data, screenshots, and more, is sent to attacker-controlled Telegram bots and bought and sold in underground marketplaces like Sherlock, contributing to the crime-and-justice sector.
- Despite global efforts from cybersecurity agencies, including SentinelLabs, Beazley Security, Cisco Talos, Cybersecurity and Infrastructure Security Agency (CISA), Malwarebytes Labs, and Kaspersky, the PXA Stealer campaign has been active in at least 62 countries, causing significant security concerns in the general-news industry.
- To combat this threat, users are advised to strengthen their cybersecurity measures using technologies such as encryption, multi-factor authentication, and up-to-date antivirus software to protect their data from infostealers like the PXA Stealer.
