PXA Stealer Attack Campaigns
Cybersecurity researchers are sounding the alarm over a new surge in campaigns pushing PXA Stealer, a Python-based malware specifically designed to harvest sensitive user data. This sophisticated infostealer is attributed to a group of Vietnamese-speaking cybercriminals, who exploit it within a subscription-based underground ecosystem. What sets this campaign apart is its integration with Telegram APIs, allowing stolen data to be swiftly monetized, resold, and reused with minimal human intervention.
Table of Contents
Widespread Infections and Alarming Data Theft
The reach of PXA Stealer is extensive. More than 4,000 unique IP addresses across 62 countries have been compromised. Victim regions include the United States, South Korea, the Netherlands, Hungary, and Austria.
The scale of the stolen data is significant:
- Over 200,000 unique passwords
- Hundreds of credit card records
- More than 4 million browser cookies
Initially spotted in November 2024, PXA Stealer campaigns were seen targeting government and educational institutions in Europe and Asia. Since then, it has evolved to extract a broad range of data including:
- Passwords and autofill data from browsers
- Cryptocurrency wallet credentials
- VPN client configurations
- Information from cloud CLI tools and Discord
- Connected network shares and financial platforms
Telegram: The Nerve Center of the Operation
Exfiltrated data is routed via Telegram channels, where it is stored and monitored. PXA Stealer uses BotIDs (TOKEN_BOT) to link bots to their corresponding ChatIDs (CHAT_ID)—these channels act as repositories for stolen information and serve as a communication hub for threat actor notifications.
This stolen data is funneled into illicit platforms such as Sherlock, a marketplace dealing in stealer logs. Here, other cybercriminals can purchase the data to conduct crypto heists or penetrate corporate networks, feeding into a fast-growing cybercriminal supply chain.
Advanced Tradecraft and Evasion Tactics
Recent campaigns in 2025 have demonstrated notable technical advancement. The operators now employ DLL side-loading techniques and multi-layered staging strategies to avoid detection and hinder forensic analysis. A deceptive twist in the attack chain involves the display of a decoy document, such as a fake copyright infringement notice, while malicious operations proceed quietly in the background.
Among the most significant upgrades in the newer variants of PXA Stealer is its ability to extract encrypted cookies from Chromium-based browsers. It does this by injecting a DLL into active processes, effectively bypassing application-level encryption protections.
Key Techniques Behind the Operation
The campaign exhibits several defining tactics:
Anti-analysis defenses: Designed to delay detection and frustrate reverse engineering efforts.
Staged payload delivery: Complex infection chains using side-loaded DLLs.
Decoy content: Non-malicious files used to mask malicious activity.
Telegram-based C2 infrastructure: Hardened communication pipeline used for command, control, and data exfiltration.
The Bigger Picture: A Growing Underground Market
What began as a Python stealer has now grown into a mature, multi-stage cyber operation. It is not just the malware that’s advanced, but the ecosystem surrounding it, such as Telegram-based marketplaces, automated data reselling channels, and organized monetization pipelines.
These developments highlight how modern cybercrime has become more agile, scalable, and deeply intertwined with encrypted communication tools. PXA Stealer stands as a prime example of how threat actors are adapting their tools and trade to stay ahead of detection and maximize profits in today’s cybercriminal economy.
