Vietnamese Hackers Use PXA Stealer, Hit 4,000 IPs and Steal 200,000 Passwords Globally

Aug 04, 2025Ravie LakshmananMalware / Browser Security

Cybersecurity researchers are calling attention to a new wave of campaigns distributing a Python-based information stealer called PXA Stealer.

The malicious activity has been assessed to be the work of Vietnamese-speaking cybercriminals who monetize the stolen data through a subscription-based underground ecosystem that automates the resale and reuse via Telegram APIs, according to a joint report published by Beazley Security and SentinelOne and shared with The Hacker News.

“This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection,” security researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal said.

The campaigns have infected over 4,000 unique IP addresses spanning 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria. Data captured via the stealer includes more than 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies.

PXA Stealer was first documented by Cisco Talos in November 2024, attributing it to attacks targeting government and education entities in Europe and Asia. It’s capable of harvesting passwords, browser autofill data, information from cryptocurrency wallets and financial institutions.

Data stolen by the malware using Telegram as an exfiltration channel is fed into criminal platforms like Sherlock, a purveyor of stealer logs, from where downstream threat actors can purchase the information to engage in cryptocurrency theft or infiltrate organizations for follow-on purposes, fueling a cybercriminal ecosystem that runs at scale.

Campaigns distributing the malware in 2025 have witnessed a steady tactical evolution, with the threat actors employing DLL side-loading techniques and elaborate staging layers in an effort to fly under the radar.

The malicious DLL takes care of conducting the rest of the steps in the infection sequence, ultimately paving the way for the deployment of the stealer, but not before taking steps to display a decoy document, such as a copyright infringement notice, to the victim.

The stealer is an updated version boasting capabilities to extract cookies from Chromium-based web browsers by injecting a DLL into running instances with an aim to defeat app-bound encryption safeguards. It also plunders data from VPN clients, cloud command-line interface (CLI) utilities, connected fileshares, and applications like Discord.

“PXA Stealer uses the BotIDs (stored as TOKEN_BOT) to establish the link between the main bot and the various ChatID (stored as CHAT_ID),” the researchers said. “The ChatIDs are Telegram channels with various properties, but they primarily serve to host exfiltrated data and provide updates and notifications to the operators.”

“This threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!