Malicious software controlled by Python, initiates mass collection of credit card data, over 200,000 passwords, and approximately 4 million cookies.
In late 2024, a new form of malware known as PXA Stealer made its debut, rapidly evolving into a highly evasive and sophisticated threat targeting a wide range of victim data across the globe [1][2].
Origin and Actors
This malware campaign is attributed to Vietnamese-speaking actors who operate a Telegram-based cybercrime marketplace where stolen data is sold and further monetized [1]. The campaign has persisted through 2025, with continuous enhancements to evasion and delivery techniques [1].
Evasion Techniques
PXA Stealer employs a variety of evasion methods to avoid detection. One such method involves the use of sideloader techniques, where legitimate signed software such as Haihaisoft PDF Reader and Microsoft Word 2013 are used to conceal malicious DLLs within legitimate processes [1].
Another technique is the use of multi-stage staging, where embedded archives disguised as common file types are used, delaying detection by both automated tools and human analysts [1]. The malware primarily exfiltrates stolen data via Telegram channels using automated bots, leveraging legitimate infrastructure like Telegram, Cloudflare Workers, and Dropbox to reduce operational costs and avoid raising suspicion [1].
PXA Stealer also bypasses common defense mechanisms on Linux platforms, making it cross-platform and harder to detect [2].
Impact on Victims
Over 4,000 unique victims across more than 60 countries have been identified, indicating a broad geographical impact [1]. The stolen data includes passwords, browser autofill data, cryptocurrency wallets, and FinTech app credentials, which facilitates downstream cybercriminal activities such as cryptocurrency theft and unauthorized organizational access [1][2].
The widespread theft of high-value personal and financial information places victims at risk of financial loss, identity theft, and further cyberattacks [1][2]. Although no direct attribution links PXA Stealer to specific large-scale incidents, infostealer malware of this type is increasingly associated with follow-on ransomware and deeper network intrusions in various sectors [5].
PXA Stealer decrypts saved passwords, swipes cookies, and any stored personally identifiable information (PII), autofill data, and authentication tokens from browsers. The new PXA Stealer variant identifies sensitive data from dozens of applications and interfaces before exfiltrating it via Telegram [1].
In summary, PXA Stealer represents a vivid example of modern infostealer malware exploiting legitimate software and communication platforms for stealthy distribution and data theft, underpinning broader cybercrime ecosystems internationally [1].
Databases storing personal and financial information have been victimized by the PXA Stealer malware, with the new form causing widespread concern in 2024 and 2025 [1]. The malware's operators, Vietnamese-speaking cybercriminals, have been selling stolen data through a Telegram-based marketplace [1].
To avoid detection, PXA Stealer employs various evasion methods such as sideloading malicious DLLs within legitimate software like Haihaisoft PDF Reader and Microsoft Word 2013 [1]. It also uses multi-stage staging, disguising itself as common file types, and bypasses defense mechanisms on Linux platforms [2].
These tactics have enabled PXA Stealer to harvest sensitive data such as passwords, browsing data, cryptocurrency wallets, and authentication tokens from victims across more than 60 countries [1]. This stolen information puts victims at risk of financial loss, identity theft, and further cyberattacks [1][2].
In light of the growing emphasis on tech updates, AI, and cybersecurity within general-news and crime-and-justice sectors, understanding PXA Stealer's operations is crucial for implementing robust security measures and protecting data in the future [6].
