Vietnam-Linked PXA Stealer Campaign Accelerates Data Theft from Professionals Worldwide
A recently uncovered global malware campaign has highlighted the alarming capabilities of PXA Stealer, a sophisticated tool utilized by cybercriminals linked to Vietnam. This campaign targets professionals across various countries, leveraging trusted platforms such as LinkedIn to extract sensitive data. Initially documented in late 2024, the PXA Stealer campaign has evolved into a formidable threat, employing advanced social engineering techniques, intricate payload delivery methods, and stealthy execution to evade traditional cybersecurity defenses.
The Attack Chain: Fake Recruiter Messages
The PXA Stealer campaign typically initiates with a direct message on LinkedIn from a compromised or spoofed account masquerading as a recruiter from a fictitious company named Apex Logistics Group. This message often entices targets with promises of remote work opportunities in fields like digital marketing, exploiting the inherent trust associated with professional networking. Such tactics effectively lower the suspicion of potential victims, making them more likely to engage.
Once interest is piqued, victims are directed to complete a Google Form and subsequently redirected through a URL shortener to a Zip archive hosted on cloud storage. This archive, disguised with a job-related name, contains a seemingly legitimate Microsoft Word executable. Upon execution, it triggers a DLL sideloading sequence, allowing the malicious payload to load under the guise of a trusted binary.
Evasion Techniques and Data Exfiltration
To evade detection, threat actors inflate the size of the malicious DLL to approximately 100 MB, significantly larger than its legitimate counterpart. This binary padding technique is designed to bypass scanners that often overlook oversized files. Once executed, PXA Stealer operates solely in memory, leaving minimal traces on disk and complicating forensic analysis.
Once active on a victim’s machine, PXA Stealer focuses on harvesting a wide array of sensitive materials, including:
- Stored browser login credentials, cookies, and session tokens
- Cryptocurrency wallet identifiers and associated applications
- Two-factor authentication secrets from authenticator apps
- Desktop and email client credentials
Persistence is achieved through scheduled tasks disguised as standard system updates, such as a fake Microsoft Edge update. This method blends malicious activity into normal operations, making detection even more challenging. The exfiltration of stolen data is facilitated through encrypted Telegram channels and hidden command-and-control infrastructure that can masquerade as legitimate services.
The Evolution of a New Threat
Technical analysis of the PXA Stealer campaign indicates a steady increase in activity since its initial documentation in November 2024. Originally a Python-based infostealer, the malware has since evolved to include multi-layer obfuscation, memory-only execution, and dynamic command infrastructure retrieval via Telegram. These advancements significantly complicate detection and mitigation efforts.
Throughout 2025, researchers observed expanded sideloading vehicles, enhanced obfuscation layers, and broader geographic targeting. By late 2025 and into early 2026, attackers diversified their social engineering lures beyond job offers to include invitations to view tax forms, legal documents, and software installers. These tactics are designed to increase the likelihood of user interaction, particularly among professionals active on LinkedIn.
Global Impact and Consequences
Investigations by multiple cybersecurity organizations reveal that PXA Stealer has already compromised tens of thousands of devices globally, with estimates exceeding 94,000 infected systems across Europe, Asia, and the Americas. The theft of credentials, including hundreds of thousands of unique passwords and millions of browser cookies, has enabled cybercriminals to bypass multi-factor authentication and escalate unauthorized access rapidly.
Victims of this campaign range from individual job seekers to organizations in heavily regulated sectors. Companies face not only immediate compromises of systems and accounts but also long-term risks, including Business Email Compromise, regulatory breaches under frameworks like GDPR, and reputational damage if employee or customer data is misused.
The PXA Stealer campaign exemplifies how Vietnam-linked actors exploit platforms like LinkedIn and fake recruiters to steal credentials, cryptocurrency wallets, and sensitive data. Organizations must adopt vigilant defenses, including employee training, endpoint protection, multi-factor authentication, and monitoring for unusual activity.
For organizations seeking to bolster their defenses, Cyble offers AI-powered threat intelligence that predicts, detects, and neutralizes such attacks in real time. To understand how Cyble can protect against threats like PXA Stealer, interested parties can schedule a demo.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
