PXA Stealer Distributed via Telegram Harvests 200K Passwords and Credit Card Data

SentinelLABS and Beazley Security have uncovered a sophisticated infostealer campaign deploying the Python-based PXA Stealer, which has rapidly evolved since late 2024 to incorporate advanced anti-analysis techniques, decoy content, and hardened command-and-control (C2) infrastructure.

This operation, linked to Vietnamese-speaking cybercriminal networks, leverages Telegram’s API for automated data exfiltration and monetization, feeding into underground marketplaces like Sherlock for resale.

Analysis of exfiltrated logs reveals over 4,000 unique victim IP addresses across at least 62 countries, with heavy concentrations in South Korea, the United States, the Netherlands, Hungary, and Austria.

The stolen trove includes more than 200,000 unique passwords, hundreds of credit card records, and over 4 million browser cookies, granting threat actors extensive access to victims’ accounts, financial data, and cryptocurrency assets.

By weaponizing legitimate platforms such as Telegram, Cloudflare Workers, and Dropbox, the campaign minimizes operational overhead while enabling real-time data harvesting and downstream criminal activities like account takeovers and crypto theft.

Targets Global Victims

The threat actors have refined their tactics throughout 2025, shifting from initial Windows executable payloads to more evasive Python-based variants.

Early waves in April 2025 involved phishing lures delivering compressed archives with signed Haihaisoft PDF Reader executables sideloaded via malicious DLLs, which established persistence through Windows Registry keys and fetched additional components from Dropbox.

These chains used certutil to decode embedded RAR archives disguised as malformed PDFs, followed by WinRAR extraction of Python dependencies, including a renamed Python 3.10 interpreter (svchost.exe), to deploy the stealer.

By July, the infection chain matured, incorporating Microsoft Word 2013 binaries renamed as documents to lure victims, sideloaded with msvcr100.dll to launch hidden command prompts.

This stage opens benign decoy documents like Tax-Invoice-EV.docx, featuring fake copyright notices to distract users and analysts, while decoding and extracting encrypted ZIP archives via renamed WinRAR tools (e.g., images.png).

The process delays execution, often causing sandbox timeouts and false negatives, before running obfuscated Python scripts with BOT_ID arguments to enumerate and exfiltrate data.

Sophisticated Payload

PXA Stealer targets a vast array of sensitive data, decrypting passwords, cookies, autofill entries, and tokens from Chromium- and Gecko-based browsers like Chrome, Edge, and Opera variants.

It injects DLLs to bypass browser encryption, such as Chrome’s App-Bound Encryption Key, and harvests files from cryptocurrency wallets (e.g., Exodus, Atomic), VPN clients, cloud utilities, and apps like Discord and Telegram.

Website-specific credentials from financial platforms, including Binance, Coinbase, and PayPal, are prioritized, with data packaged into ZIP archives (e.g., [CC_IPADDRESS]_HOSTNAME.zip) and relayed via Cloudflare Workers to Telegram bots.

Key infrastructure includes Bot Token 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ and Chat ID -1002698513801, with variants tied to identifiers like ADN_2_NEW_VER_BOT and MRB_NEW_VER_BOT, often featuring Vietnamese-language artifacts.

According to the report, Attribution points to operators using paste.rs and 0x0.st for payload hosting, with ties to prior campaigns reported by Cisco Talos.

Victimology data shows sustained activity since October 2024, favoring regions like Israel and Taiwan in some bots, underscoring the campaign’s global reach and automation-driven efficiency.

This escalation highlights a trend where infostealers like PXA integrate with Telegram ecosystems for seamless monetization, challenging defenders with byzantine delivery methods that blend legitimate tools and decoys to evade detection.

As these threats automate resale via services like Sherlock, organizations must prioritize behavioral analytics and infrastructure monitoring to counter such resilient operations.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!