Particle.news

Download on the App Store

PXA Stealer Infects 4,000 Systems Across 62 Countries, Channels Data to Telegram Markets

The infostealer uses DLL sideloading through signed applications with decoy files before exfiltrating credentials via Telegram bots

Image

Overview

  • PXA Stealer, developed by Vietnamese-speaking cybercriminals, has compromised over 4,000 unique IPs in 62 countries since late 2024.
  • Researchers report the Python-based malware sideloads its payload via legitimate signed software such as Haihaisoft PDF Reader and Microsoft Word 2013 to evade detection.
  • Campaigns have harvested more than 200,000 unique passwords, hundreds of credit card records and over 4 million browser cookies from saved data, session tokens and crypto wallets.
  • Exfiltration occurs through a Telegram-based command-and-control channel supported by Cloudflare Workers, automating data collection and transfer.
  • Stolen credentials are fed into subscription-style underground markets like Sherlock, illustrating a shift toward modular, cloud-integrated malware-as-a-service ecosystems.