New Python-Based PXA Stealer Via Telegram Stolen 200,000 Unique Passwords and Hundreds of Credit Cards

A sophisticated new cybercriminal campaign has emerged, leveraging a Python-based information stealer known as PXA Stealer to orchestrate one of the most extensive data theft operations observed in recent months.

The malware, which first surfaced in late 2024, has evolved into a highly evasive multi-stage operation that has successfully compromised over 4,000 unique victims across 62 countries, with the stolen data including more than 200,000 unique passwords, hundreds of credit card records, and over 4 million harvested browser cookies.

The campaign represents a significant leap in cybercriminal tradecraft, incorporating advanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline designed to frustrate security analysis and delay detection.

The threat actors behind this operation have demonstrated remarkable adaptability, continuously refining their delivery mechanisms and evasion strategies throughout 2025.

Most notably, they have adopted novel sideloading techniques involving legitimate signed software such as Haihaisoft PDF Reader and Microsoft Word 2013, concealed malicious DLLs, and embedded archives disguised as common file types.

The geographic distribution of victims reveals a truly global impact, with South Korea, the United States, the Netherlands, Hungary, and Austria being the most heavily targeted regions.

SentinelLABS analysts identified the operation as being orchestrated by Vietnamese-speaking cybercriminal circles who have developed a sophisticated subscription-based underground ecosystem that efficiently automates the resale and reuse of stolen credentials through Telegram’s API infrastructure.

What distinguishes this campaign from typical information stealing operations is its integration with a comprehensive monetization framework.

The stolen data feeds directly into criminal platforms such as Sherlock, where it is normalized, categorized, and made available for purchase by downstream cybercriminals.

This industrialized approach to data theft enables actors to engage in cryptocurrency theft or purchase access credentials to infiltrate organizations for various malicious purposes, creating a self-sustaining criminal economy.

Advanced Infection Mechanism and Persistence Tactics

The PXA Stealer employs a particularly sophisticated infection chain that begins with phishing lures containing large compressed archives.

In the most recent iterations observed in July 2025, victims receive archives containing a legitimate, signed Microsoft Word 2013 executable alongside a malicious DLL named msvcr100.dll that is sideloaded when the Word executable runs.

The attack leverages Windows’ DLL search order, where the operating system searches for required libraries in the local directory before checking system directories.

Upon execution, the sideloaded DLL initiates a complex multi-stage process designed to evade detection.

The malware first launches a benign decoy document named Tax-Invoice-EV.docx, displaying a fake copyright infringement notice to maintain the illusion of legitimacy while simultaneously serving as an anti-analysis feature that potentially wastes security analysts’ time.

The system then executes a series of encoded commands, beginning with certutil to decode embedded archives: certutil -decode Documents.pdf LX8bzeZTzF5XSONpDC.rar

The decoded archive is subsequently extracted using a legitimate WinRAR executable disguised as images.png: images.png x -pS8SKXaOudHX78CnCmjawuXJAXwNAzVeK -inul -y LX8bzeZTzF5XSONpDC.rar C:UsersPublicLX8bzeZTzF5XSONpDC.

This process extracts a portable Python interpreter renamed as svchost.exe alongside the malicious Python script, effectively camouflaging the malware as legitimate system processes.

To ensure persistence, the malware establishes a Registry Run key using the command: reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun" /v "C:UsersPublicLX8bzeZTzF5XSONpDCPhotos" /f, guaranteeing execution upon system restart and maintaining long-term access to compromised systems.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches