Cybersecurity researchers are calling attention to a new wave of campaigns distributing a Python-based information stealer called PXA Stealer.
The malicious activity has been assessed to be the work of Vietnamese-speaking cybercriminals who monetize the stolen data through a subscription-based underground ecosystem that automates the resale and reuse via Telegram APIs, according to a joint report published by Beazley Security and SentinelOne and shared with The Hacker News.
“This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection,” security researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal said.
The campaigns have infected over 4,000 unique IP addresses spanning 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria. Data captured via the stealer includes more than 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies.
PXA Stealer was first documented by Cisco Talos in November 2024, attributing it to attacks targeting government and education entities in Europe and Asia. It’s capable of harvesting passwords, browser autofill data, information from cryptocurrency wallets and financial institutions.
Data stolen by the malware using Telegram as an exfiltration channel is fed into criminal platforms like Sherlock, a purveyor of stealer logs, from where downstream threat actors can purchase the information to engage in cryptocurrency theft or infiltrate organizations for follow-on purposes, fueling a cybercriminal ecosystem that runs at scale.
Campaigns distributing the malware in 2025 have witnessed a steady tactical evolution, with the threat actors employing DLL side-loading techniques and elaborate staging layers in an effort to fly under the radar.
The malicious DLL takes care of conducting the rest of the steps in the infection sequence, ultimately paving the way for the deployment of the stealer, but not before taking steps to display a decoy document, such as a copyright infringement notice, to the victim.
The stealer is an updated version boasting capabilities to extract cookies from Chromium-based web browsers by injecting a DLL into running instances with an aim to defeat app-bound encryption safeguards. It also plunders data from VPN clients, cloud command-line interface (CLI) utilities, connected fileshares, and applications like Discord.
“PXA Stealer uses the BotIDs (stored as TOKEN_BOT) to establish the link between the main bot and the various ChatID (stored as CHAT_ID),” the researchers said. “The ChatIDs are Telegram channels with various properties, but they primarily serve to host exfiltrated data and provide updates and notifications to the operators.”
“This threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data.”
