Overview

• PXA Stealer, developed by Vietnamese-speaking cybercriminals, has compromised over 4,000 unique IPs in 62 countries since late 2024.
• Researchers report the Python-based malware sideloads its payload via legitimate signed software such as Haihaisoft PDF Reader and Microsoft Word 2013 to evade detection.
• Campaigns have harvested more than 200,000 unique passwords, hundreds of credit card records and over 4 million browser cookies from saved data, session tokens and crypto wallets.
• Exfiltration occurs through a Telegram-based command-and-control channel supported by Cloudflare Workers, automating data collection and transfer.
• Stolen credentials are fed into subscription-style underground markets like Sherlock, illustrating a shift toward modular, cloud-integrated malware-as-a-service ecosystems.