- A new Python-based Malware campaign, named PXA Stealer, is targeting internet users worldwide.
- Researchers link the activity to Vietnamese-speaking cybercriminals using Telegram for automation and data resale.
- The malware has compromised over 4,000 unique IP addresses in 62 countries, stealing passwords, credit card details, and millions of browser cookies.
- PXA Stealer uses advanced anti-detection methods, decoy content, and a protected command-and-control process.
- Stolen data is sold on criminal markets, fueling large-scale operations in cryptocurrency theft and network breaches.
Cybersecurity experts have reported a global campaign spreading a Python-based information stealer called PXA Stealer. The attacks, active in 2025, are attributed to Vietnamese-speaking cybercriminal groups. These groups use Telegram APIs to automate the resale and reuse of stolen data.
Investigators from Beazley Security and SentinelOne announced that PXA Stealer has hit more than 4,000 unique IP addresses in 62 countries. Affected regions include South Korea, the United States, and several European countries. The malware harvested data such as over 200,000 unique passwords, hundreds of credit card records, and upwards of 4 million browser cookies.
According to security researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal, the malware demonstrates “a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection.” PXA Stealer was first detailed in late 2024 by Cisco Talos, where it was used to target government and educational sectors in Europe and Asia. The malware can steal passwords, browser autofill data, and information from cryptocurrency wallets and banks.
Stolen data is sent through Telegram channels before being sold on underground platforms such as Sherlock, a source of “stealer logs” used by other criminals. These logs allow downstream threat actors to commit cryptocurrency theft or gain unauthorized access to networks for future attacks.
The operation behind PXA Stealer has evolved, increasingly using DLL side-loading and complex staging to evade detection. Attackers present victims with decoy documents—like copyright notices—while the malware runs. The newest version targets Chromium-based browsers and extracts cookies by injecting malicious code into active browser processes, bypassing security measures. It also steals data from VPN clients, cloud tools, network shares, and communication platforms like Discord.
Researchers explain that “PXA Stealer uses the BotIDs (stored as TOKEN_BOT) to establish the link between the main bot and the various ChatID (stored as CHAT_ID)…primarily to host exfiltrated data and provide updates and notifications to the operators.” The campaign continues to develop, with its operators relying on a Telegram-based criminal market to distribute stolen victim data at scale.
For more technical details, see the SentinelOne analysis.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu Needs 517 Trillion Tokens Burned to Reach $0.0001
- Nakamoto CEO Plans $200M PAC to Advance Bitcoin in US Politics
- Figure Technology Solutions Files Confidential Paperwork for 2024 IPO
- New NVIDIA Triton AI Server Bugs Allow Full Remote System Takeover
- Cardano Community Approves $71M Upgrade, Unlocking 96M ADA
