Cybersecurity experts have identified a new wave of campaigns spreading a Python-based information stealer known as PXA Stealer.
According to a joint report by Beazley Security and SentinelOne, the malicious activity is believed to be carried out by Vietnamese-speaking cybercriminals. These actors reportedly monetize the stolen data through a subscription-based underground network that leverages Telegram APIs to automate resale and reuse.
Researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal explained that this development demonstrates a significant advancement in tactics. It includes improved anti-analysis measures, the use of harmless decoy content, and a more secure command-and-control structure that complicates detection efforts. The campaigns have impacted over 4,000 unique IP addresses across 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria. Stolen data includes more than 200,000 passwords, hundreds of credit card details, and over 4 million browser cookies.
Cisco Talos first documented PXA Stealer in November 2024, linking it to attacks on government and educational institutions in Europe and Asia. The malware is capable of collecting passwords, browser autofill data, and information from cryptocurrency wallets and financial accounts.
Using Telegram for data exfiltration, the malware feeds stolen information into criminal platforms like Sherlock, which sells stealer logs. This allows other cybercriminals to buy the data for cryptocurrency theft or to breach organizations, further supporting a growing cybercrime network.
The 2025 campaigns show continued evolution, with threat actors employing DLL side-loading and complex staging methods to avoid detection. A malicious DLL executes the infection process and presents a decoy document, such as a copyright notice, to distract the victim. The updated stealer can extract cookies from Chromium-based browsers by injecting a DLL into active sessions to bypass encryption protections. It also collects data from VPN tools, cloud command-line utilities, file-sharing services, and apps like Discord.
The researchers noted that PXA Stealer uses BotIDs, stored as TOKEN_BOT, to connect the main bot to various ChatIDs, stored as CHAT_ID. These ChatIDs are Telegram channels used to store stolen data and send updates to operators.
This malware has evolved into a complex, evasive operation led by Vietnamese-speaking cybercriminals. It appears to be part of a larger organized Telegram-based marketplace dealing in stolen data.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
