Analysts from Beazley Security and SentinelOne have warned about a campaign distributing an updated version of the PXA Stealer infostealer, written in Python. According to the researchers, the stealer has already compromised over 4,000 victims across 62 countries worldwide.
Researchers believe that Vietnamese-speaking hackers are behind PXA Stealer. They monetize the stolen data from victims by selling it to other criminals through Telegram and even have their own subscription-based system.
“This discovery demonstrates significant progress in attack tactics: more advanced anti-analysis methods are now being used, alongside harmless fake content for lures and secure command infrastructure, which delays detection and complicates investigation,” experts say.
Currently, the stealer’s activity has impacted over 4000 unique IP addresses across 62 countries (including South Korea, the USA, the Netherlands, Hungary, and Austria). PXA Stealer has stolen: over 200,000 unique passwords, data from hundreds of bank cards, and more than 4 million browser cookies from victims.
PXA Stealer was first discovered by analysts from Cisco Talos in November 2024. At that time, it was primarily used for attacks on government and educational institutions in European and Asian countries. This malware is capable of stealing passwords, browser autofill data, cryptocurrency wallet information, and data from banking applications.
The stolen data is transmitted to the malware operators via Telegram, and then ends up on hacker platforms like Sherlock, which trade in logs. Other cybercriminals can purchase them there, for instance, to steal cryptocurrency or to conduct further attacks on organizations.
According to Beazley Security and SentinelOne, by 2025, the distribution tactics of stealers became more sophisticated. Attackers started using DLL side-loading and multi-stage malware execution schemes to remain undetected for longer periods.
For instance, in April of this year, attackers used phishing emails to trick victims into downloading an archive containing a signed copy of Haihaisoft PDF Reader along with a malicious DLL library.
The malicious DLL is responsible for carrying out all the infection steps and at some point presents the victim with a decoy (such as a fake copyright infringement notification). After this, the stealer is deployed into the system.
Moreover, the updated version of PXA Stealer can extract cookies from Gecko and Chromium-based browsers (by injecting DLL into running processes, bypassing the protection of App-Bound Encryption) and steals data from VPN clients, cloud CLI interfaces, connected network resources, as well as several other applications, including Discord.
“PXA Stealer uses bot identifiers (TOKEN_BOT) to link the main bot with Telegram channels (CHAT_ID),” the researchers explain. “Different channels in Telegram are behind the ChatID, but they are mainly used for receiving stolen data and sending notifications to operators. The idea of using the legitimate infrastructure of Telegram is driven by the desire to automate data theft and simplify the process of selling it, which allows cybercriminals to deliver information to other criminals more efficiently.”
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →