A classy new cybercriminal marketing campaign has emerged, leveraging a Python-based info stealer often called PXA Stealer to orchestrate some of the intensive knowledge theft operations noticed in current months.
The malware, which first surfaced in late 2024, has advanced right into a extremely evasive multi-stage operation that has efficiently compromised over 4,000 distinctive victims throughout 62 nations, with the stolen knowledge together with greater than 200,000 distinctive passwords, lots of of bank card data, and over 4 million harvested browser cookies.
The marketing campaign represents a major leap in cybercriminal tradecraft, incorporating superior anti-analysis strategies, non-malicious decoy content material, and a hardened command-and-control pipeline designed to frustrate safety evaluation and delay detection.
The menace actors behind this operation have demonstrated exceptional adaptability, repeatedly refining their supply mechanisms and evasion methods all through 2025.
Most notably, they’ve adopted novel sideloading strategies involving authentic signed software program reminiscent of Haihaisoft PDF Reader and Microsoft Phrase 2013, hid malicious DLLs, and embedded archives disguised as frequent file varieties.
The geographic distribution of victims reveals a really international affect, with South Korea, the US, the Netherlands, Hungary, and Austria being essentially the most closely focused areas.
SentinelLABS analysts recognized the operation as being orchestrated by Vietnamese-speaking cybercriminal circles who’ve developed a complicated subscription-based underground ecosystem that effectively automates the resale and reuse of stolen credentials by way of Telegram’s API infrastructure.
Bio and Information fields from Telegram profiles masquerading as bots (Supply – SentinelOne)
What distinguishes this marketing campaign from typical info stealing operations is its integration with a complete monetization framework.
The stolen knowledge feeds straight into felony platforms reminiscent of Sherlock, the place it’s normalized, categorized, and made obtainable for buy by downstream cybercriminals.
This industrialized method to knowledge theft allows actors to interact in cryptocurrency theft or buy entry credentials to infiltrate organizations for numerous malicious functions, making a self-sustaining felony economic system.
Superior An infection Mechanism and Persistence Ways
The PXA Stealer employs a very subtle an infection chain that begins with phishing lures containing giant compressed archives.
Multi-stage chain of exercise (Supply – SentinelOne)
In the latest iterations noticed in July 2025, victims obtain archives containing a authentic, signed Microsoft Phrase 2013 executable alongside a malicious DLL named msvcr100.dll that’s sideloaded when the Phrase executable runs.
The assault leverages Home windows’ DLL search order, the place the working system searches for required libraries within the native listing earlier than checking system directories.
Upon execution, the sideloaded DLL initiates a fancy multi-stage course of designed to evade detection.
The malware first launches a benign decoy doc named Tax-Bill-EV.docx, displaying a faux copyright infringement discover to keep up the phantasm of legitimacy whereas concurrently serving as an anti-analysis function that doubtlessly wastes safety analysts’ time.
The system then executes a sequence of encoded instructions, starting with certutil to decode embedded archives: certutil -decode Paperwork.pdf LX8bzeZTzF5XSONpDC.rar
The decoded archive is subsequently extracted utilizing a authentic WinRAR executable disguised as pictures.png: pictures.png x -pS8SKXaOudHX78CnCmjawuXJAXwNAzVeK -inul -y LX8bzeZTzF5XSONpDC.rar C:UsersPublicLX8bzeZTzF5XSONpDC.
Obfuscated Python code hosted on Paste[.]rs (Supply – SentinelOne)
This course of extracts a conveyable Python interpreter renamed as svchost.exe alongside the malicious Python script, successfully camouflaging the malware as authentic system processes.
To make sure persistence, the malware establishes a Registry Run key utilizing the command: reg add “HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /v “C:UsersPublicLX8bzeZTzF5XSONpDCPhotos” /f, guaranteeing execution upon system restart and sustaining long-term entry to compromised programs.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
