PXA Stealer Distributed via Telegram Harvests 200K Passwords and Credit Card Data

PXA Stealer Distributed via Telegram Harvests 200K Passwords and Credit Card Data

SentinelLABS and Beazley Security have uncovered a sophisticated infostealer campaign deploying the Python-based PXA Stealer, which has rapidly evolved since late 2024 to incorporate advanced anti-analysis techniques, decoy content, and hardened command-and-control (C2) infrastructure.

This operation, linked to Vietnamese-speaking cybercriminal networks, leverages Telegram’s API for automated data exfiltration and monetization, feeding into underground marketplaces like Sherlock for resale.

Analysis of exfiltrated logs reveals over 4,000 unique victim IP addresses across at least 62 countries, with heavy concentrations in South Korea, the United States, the Netherlands, Hungary, and Austria.

Screenshot of the non-malicious decoy document

The stolen trove includes more than 200,000 unique passwords, hundreds of credit card records, and over 4 million browser cookies, granting threat actors extensive access to victims’ accounts, financial data, and cryptocurrency assets.

By weaponizing legitimate platforms such as Telegram, Cloudflare Workers, and Dropbox, the campaign minimizes operational overhead while enabling real-time data harvesting and downstream criminal activities like account takeovers and crypto theft.

Targets Global Victims

The threat actors have refined their tactics throughout 2025, shifting from initial Windows executable payloads to more evasive Python-based variants.

Early waves in April 2025 involved phishing lures delivering compressed archives with signed Haihaisoft PDF Reader executables sideloaded via malicious DLLs, which established persistence through Windows Registry keys and fetched additional components from Dropbox.

PXA Stealer
Multi-stage chain

These chains used certutil to decode embedded RAR archives disguised as malformed PDFs, followed by WinRAR extraction of Python dependencies, including a renamed Python 3.10 interpreter (svchost.exe), to deploy the stealer.

By July, the infection chain matured, incorporating Microsoft Word 2013 binaries renamed as documents to lure victims, sideloaded with msvcr100.dll to launch hidden command prompts.

This stage opens benign decoy documents like Tax-Invoice-EV.docx, featuring fake copyright notices to distract users and analysts, while decoding and extracting encrypted ZIP archives via renamed WinRAR tools (e.g., images.png).

The process delays execution, often causing sandbox timeouts and false negatives, before running obfuscated Python scripts with BOT_ID arguments to enumerate and exfiltrate data.

Sophisticated Payload

PXA Stealer targets a vast array of sensitive data, decrypting passwords, cookies, autofill entries, and tokens from Chromium- and Gecko-based browsers like Chrome, Edge, and Opera variants.

It injects DLLs to bypass browser encryption, such as Chrome’s App-Bound Encryption Key, and harvests files from cryptocurrency wallets (e.g., Exodus, Atomic), VPN clients, cloud utilities, and apps like Discord and Telegram.

Website-specific credentials from financial platforms, including Binance, Coinbase, and PayPal, are prioritized, with data packaged into ZIP archives (e.g., [CC_IPADDRESS]_HOSTNAME.zip) and relayed via Cloudflare Workers to Telegram bots.

Key infrastructure includes Bot Token 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ and Chat ID -1002698513801, with variants tied to identifiers like ADN_2_NEW_VER_BOT and MRB_NEW_VER_BOT, often featuring Vietnamese-language artifacts.

According to the report, Attribution points to operators using paste.rs and 0x0.st for payload hosting, with ties to prior campaigns reported by Cisco Talos.

Victimology data shows sustained activity since October 2024, favoring regions like Israel and Taiwan in some bots, underscoring the campaign’s global reach and automation-driven efficiency.

This escalation highlights a trend where infostealers like PXA integrate with Telegram ecosystems for seamless monetization, challenging defenders with byzantine delivery methods that blend legitimate tools and decoys to evade detection.

As these threats automate resale via services like Sherlock, organizations must prioritize behavioral analytics and infrastructure monitoring to counter such resilient operations.

Indicators of Compromise (IOCs)

Type Value Note
SHA-1 Hash 05a8e10251a29faf31d7da5b9adec4be90816238 First-Stage Dropper (archive)
SHA-1 Hash 5b60e1b7458cef383c45998204bbaac5eacbb7ee First-Stage Dropper (archive)
SHA-1 Hash 612f61b2084820a1fcd5516dc74a23c1b6eaa105 First-Stage Dropper (archive)
SHA-1 Hash 61a0cb64ca1ba349550176ef0f874dd28eb0abfa First-Stage Dropper (archive)
SHA-1 Hash 6393b23bc20c2aaa71cb4e1597ed26de48ff33e2 First-Stage Dropper (archive)
SHA-1 Hash 65c11e7a61ac10476ed4bfc501c27e2aea47e43a First-Stage Dropper (archive)
SHA-1 Hash 6eb1902ddf85c43de791e86f5319093c46311071 First-Stage Dropper (archive)
SHA-1 Hash 70b0ce86afebb02e27d9190d5a4a76bae6a32da7 First-Stage Dropper (archive)
SHA-1 Hash 7c9266a3e7c32daa6f513b6880457723e6f14527 First-Stage Dropper (archive)
SHA-1 Hash 7d53e588d83a61dd92bce2b2e479143279d80dcd First-Stage Dropper (archive)
SHA-1 Hash 7e505094f608cafc9f174db49fbb170fe6e8c585 First-Stage Dropper (archive)
SHA-1 Hash ae8d0595724acd66387a294465b245b4780ea264 First-Stage Dropper (archive)
SHA-1 Hash b53ccd0fe75b8b36459196b666b64332f8e9e213 First-Stage Dropper (archive)
SHA-1 Hash bfed04e6da375e9ce55ad107aa96539f49899b85 First-Stage Dropper (archive)
SHA-1 Hash c46613f2243c63620940cc0190a18e702375f7d7 First-Stage Dropper (archive)
SHA-1 Hash c5407cc07c0b4a1ce4b8272003d5eab8cdb809bc First-Stage Dropper (archive)
SHA-1 Hash c9caba0381624dec31b2e99f9d7f431b17b94a32 First-Stage Dropper (archive)
SHA-1 Hash ca6912da0dc4727ae03b8d8a5599267dfc43eee9 First-Stage Dropper (archive)
SHA-1 Hash d0b137e48a093542996221ef40dc3d8d99398007 First-Stage Dropper (archive)
SHA-1 Hash d1a5dff51e888325def8222fdd7a1bd613602bef First-Stage Dropper (archive)
SHA-1 Hash deace971525c2cdba9780ec49cc5dd26ac3a1f27 First-Stage Dropper (archive)
Domain paste[.]rs Code hosting site
URL hxxps://paste[.]rs/Plk1y
URL hxxps://paste[.]rs/5DJ0P
URL hxxps://paste[.]rs/oaCzj

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!


Source link