Understanding the Rise of PXA Stealer: A Threat to Cybersecurity
Cybersecurity experts are raising alarms about a new trend in cybercrime involving a sophisticated Python-based information stealer known as PXA Stealer. This malware is primarily attributed to cybercriminals who communicate in Vietnamese, and it operates within an intricate underground network that profits from stolen information through automated resales facilitated via Telegram APIs.
The Mechanics Behind PXA Stealer
According to a comprehensive report by Beazley Security and SentinelOne shared with The Hacker News, this malware campaign integrates advanced strategies to make detection challenging. Experts including Jim Walter, Alex Delamotte, and their colleagues have noted that the attackers employ sophisticated anti-analysis techniques, create non-malicious decoy content, and utilize a robust command-and-control infrastructure. These tactics are designed to complicate detection processes and hinder security analysts from responding effectively.
Scale of Impact
Since its emergence, PXA Stealer has compromised more than 4,000 unique IP addresses across 62 countries, including significant infections in South Korea, the United States, the Netherlands, Hungary, and Austria. The data compromised by this malware is extensive, comprising over 200,000 unique passwords, hundreds of credit card numbers, and more than 4 million browser cookies.
Initially documented by Cisco Talos in November 2024, PXA Stealer has targeted various sectors, particularly government and education institutions across Europe and Asia. This malware can gather not only passwords and autofill data from browsers but also critical information from cryptocurrency wallets and online banking services.
How Stolen Data is Exploited
Once harvested, the data stolen by PXA Stealer is sent through Telegram to criminal platforms like Sherlock, where it’s auctioned to other cybercriminals. These individuals use the purchased information for malicious activities such as cryptocurrency theft or strategic infiltration into organizations. This process fosters a large-scale cybercriminal ecosystem that continuously exploits stolen data for illicit gain.
Evolving Tactics of Cybercriminals
The methods used to deploy this malware have evolved significantly in 2025. Cybercriminals have begun employing dynamic techniques, such as DLL side-loading and additional layers of staging to conceal their activities. The malicious DLL not only facilitates the infection process but also distracts victims with decoy documents, like notices about copyright infringements, to mask the malware’s true intent.
Advanced Data Extraction Capabilities
This latest iteration of PXA Stealer includes enhanced features that allow it to pull cookies from Chromium-based browsers by inserting a DLL into running applications, effectively bypassing application-bound encryption measures. Furthermore, it extracts data from various sources, including VPN clients, cloud CLI utilities, shared file systems, and even applications like Discord.
Communication and Coordination Among Cybercriminals
Researchers highlight that PXA Stealer utilizes distinct identifiers, such as BotIDs (stored as TOKEN_BOT) and ChatIDs (stored as CHAT_ID), to ensure effective communication between the main bot and various Telegram channels. These channels not only host the exfiltrated data but also provide real-time updates and alerts to the operators involved in the scheme.
In the current cyber landscape, threats like PXA Stealer reflect a complex and organized effort by Vietnamese-speaking hackers tied to a larger market within Telegram that specializes in trading stolen data. This evolution illustrates the alarming sophistication of cybercrime today, necessitating vigilant security measures and continuous monitoring to mitigate risks associated with such hazards.
