Overview
- PXA Stealer, developed by Vietnamese-speaking cybercriminals, has compromised over 4,000 unique IPs in 62 countries since late 2024.
- Researchers report the Python-based malware sideloads its payload via legitimate signed software such as Haihaisoft PDF Reader and Microsoft Word 2013 to evade detection.
- Campaigns have harvested more than 200,000 unique passwords, hundreds of credit card records and over 4 million browser cookies from saved data, session tokens and crypto wallets.
- Exfiltration occurs through a Telegram-based command-and-control channel supported by Cloudflare Workers, automating data collection and transfer.
- Stolen credentials are fed into subscription-style underground markets like Sherlock, illustrating a shift toward modular, cloud-integrated malware-as-a-service ecosystems.