Python-powered malware snags hundreds of credit cards, 200K passwords, and 4M cookies
(2025/08/04)
- Reference: 1754332419
- News link: https://www.theregister.co.uk/2025/08/04/pxa_stealer_4000_victims/
- Source link:
More than 4,000 victims across 62 countries have been infected by stealthy infostealers pilfering people's passwords, credit card numbers, and browser cookies, which are then sold to other criminals on Telegram-based marketplaces.
South Korea, the US, the Netherlands, Hungary, and Austria have been the hardest-hit countries in this ongoing campaign, according to SentinelLabs and Beazley Security, which detailed their findings in a Monday report and said the final payload delivers the Python-based PXA Stealer.
"Initially surfacing in late 2024, this threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data," [1]wrote SentinelLabs' Jim Walter and Alex Delamotte, along with Beazley Security's Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal.
[2]
To date, the data thieves have pilfered more than 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies.
[3]
[4]
All of this financial and personal info is then sold on stolen-data marketplaces, including Sherlock, thus giving crooks easy access to victims' bank accounts, crypto wallets, VPNs, digital identities, and other data that people would prefer remain private.
Cisco Talos [5]first documented PXA Stealer in November 2024, and throughout 2025, the criminals have continued to improve their delivery and evasion techniques, according to SentinelLabs and Beazley Security.
[6]
"Most notably, they've adopted novel sideloading techniques involving legitimate signed software (such as Haihaisoft PDF Reader and Microsoft Word 2013), concealed malicious DLLs, and embedded archives disguised as common file types," the latest report wrote.
April, July attack waves
During one wave of attacks in April, the miscreants used phishing emails to lure victims into downloading an archive containing the signed copy of Haihaisoft PDF Reader along with the malicious DLL.
The DLL file establishes persistence on the infected machine via the Windows Registry and remotely retrieves additional Windows executables via Dropbox to carry out the additional stages of the attack.
The April campaign delivered a variety of infostealers including LummaC2 and Rhadamanthys Stealer, and it was during this wave of infections that the researchers first noticed the criminals shifting tactics and using Python-based payloads instead of Windows executables.
Another campaign spotted in July showed the attackers becoming better at flying under the radar with more sophisticated evasion methods, including using non-malicious decoy documents.
[7]
This time, the phishing lure contained a legitimate, signed Microsoft Word 2013 executable named to look like a Word document, a malicious DLL that is sideloaded by the Microsoft Word 2013 executable, and later-stage payloads.
Once the user opens the Word executable, Windows loads the malicious DLL that launches a hidden instance of Command Prompt and kicks off the multi-stage infection chain.
It starts with a decoy document — in this case, a fake copyright infringement notice — before unpacking the rest of the archive that contains a Windows Python interpreter, several Python libraries, and an updated version of PXA Stealer that identifies sensitive data from dozens of applications and interfaces before exfiltrating it via Telegram.
[8]Phishing platforms, infostealers blamed as identity attacks soar
[9]Billions of cookies up for grabs as experts warn over session security
[10]FBI, Microsoft, international cops bust Lumma infostealer service
[11]Who needs phishing when your login's already in the wild?
This new PXA Stealer variant can steal data from nearly 40 browsers, including Gecko- and Chromium-based browsers, decrypting saved passwords, and swiping cookies, any stored personally identifiable information (PII), autofill data, and authentication tokens.
It also attempts to inject a DLL into running instances of browsers, including Chrome, targeting Chrome's App-Bound Encryption Key to kill the internal encryption mechanisms.
The stealer targets more than three dozen cryptocurrency wallet related browser extensions including Crypto[.]com, ExodusWeb3, and Magic Eden Wallet, along with users' databases and configuration files for cryptocurrency apps and VPNs, plus website-specific data from Google Ads, Coinbase, Kraken, PayPal, and other financial services.
After pilfering all of this sensitive and financial info, the stealer exfiltrates the stolen goods via HTTP POST requests to the Telegram API, and from there, it's siphoned into other Telegram-based cybercrime forums such as Sherlock.
"The idea behind leveraging the legitimate Telegram infrastructure is driven by the desire to automate exfiltration and streamline the sales process, which enables actors to deliver data more efficiently to downstream criminals," the threat hunters noted. ®
Get our [12]Tech Resources
[1] https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://blog.talosintelligence.com/new-pxa-stealer/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[9] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[10] https://www.theregister.com/2025/05/21/lumma_infostealer_service_busted/
[11] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[12] https://whitepapers.theregister.com/
South Korea, the US, the Netherlands, Hungary, and Austria have been the hardest-hit countries in this ongoing campaign, according to SentinelLabs and Beazley Security, which detailed their findings in a Monday report and said the final payload delivers the Python-based PXA Stealer.
"Initially surfacing in late 2024, this threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data," [1]wrote SentinelLabs' Jim Walter and Alex Delamotte, along with Beazley Security's Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal.
[2]
To date, the data thieves have pilfered more than 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies.
[3]
[4]
All of this financial and personal info is then sold on stolen-data marketplaces, including Sherlock, thus giving crooks easy access to victims' bank accounts, crypto wallets, VPNs, digital identities, and other data that people would prefer remain private.
Cisco Talos [5]first documented PXA Stealer in November 2024, and throughout 2025, the criminals have continued to improve their delivery and evasion techniques, according to SentinelLabs and Beazley Security.
[6]
"Most notably, they've adopted novel sideloading techniques involving legitimate signed software (such as Haihaisoft PDF Reader and Microsoft Word 2013), concealed malicious DLLs, and embedded archives disguised as common file types," the latest report wrote.
April, July attack waves
During one wave of attacks in April, the miscreants used phishing emails to lure victims into downloading an archive containing the signed copy of Haihaisoft PDF Reader along with the malicious DLL.
The DLL file establishes persistence on the infected machine via the Windows Registry and remotely retrieves additional Windows executables via Dropbox to carry out the additional stages of the attack.
The April campaign delivered a variety of infostealers including LummaC2 and Rhadamanthys Stealer, and it was during this wave of infections that the researchers first noticed the criminals shifting tactics and using Python-based payloads instead of Windows executables.
Another campaign spotted in July showed the attackers becoming better at flying under the radar with more sophisticated evasion methods, including using non-malicious decoy documents.
[7]
This time, the phishing lure contained a legitimate, signed Microsoft Word 2013 executable named to look like a Word document, a malicious DLL that is sideloaded by the Microsoft Word 2013 executable, and later-stage payloads.
Once the user opens the Word executable, Windows loads the malicious DLL that launches a hidden instance of Command Prompt and kicks off the multi-stage infection chain.
It starts with a decoy document — in this case, a fake copyright infringement notice — before unpacking the rest of the archive that contains a Windows Python interpreter, several Python libraries, and an updated version of PXA Stealer that identifies sensitive data from dozens of applications and interfaces before exfiltrating it via Telegram.
[8]Phishing platforms, infostealers blamed as identity attacks soar
[9]Billions of cookies up for grabs as experts warn over session security
[10]FBI, Microsoft, international cops bust Lumma infostealer service
[11]Who needs phishing when your login's already in the wild?
This new PXA Stealer variant can steal data from nearly 40 browsers, including Gecko- and Chromium-based browsers, decrypting saved passwords, and swiping cookies, any stored personally identifiable information (PII), autofill data, and authentication tokens.
It also attempts to inject a DLL into running instances of browsers, including Chrome, targeting Chrome's App-Bound Encryption Key to kill the internal encryption mechanisms.
The stealer targets more than three dozen cryptocurrency wallet related browser extensions including Crypto[.]com, ExodusWeb3, and Magic Eden Wallet, along with users' databases and configuration files for cryptocurrency apps and VPNs, plus website-specific data from Google Ads, Coinbase, Kraken, PayPal, and other financial services.
After pilfering all of this sensitive and financial info, the stealer exfiltrates the stolen goods via HTTP POST requests to the Telegram API, and from there, it's siphoned into other Telegram-based cybercrime forums such as Sherlock.
"The idea behind leveraging the legitimate Telegram infrastructure is driven by the desire to automate exfiltration and streamline the sales process, which enables actors to deliver data more efficiently to downstream criminals," the threat hunters noted. ®
Get our [12]Tech Resources
[1] https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://blog.talosintelligence.com/new-pxa-stealer/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJEtaD419fmMafz2_HNI_QAAAAc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[9] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[10] https://www.theregister.com/2025/05/21/lumma_infostealer_service_busted/
[11] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[12] https://whitepapers.theregister.com/
Apparently a well-motivated dev team.
Jeez, this report's cybercriminals come off as so industrious and proactive that I kinda want to reach out and ask them whether their devops structure is waterfall, agile, or some other project development process rather than just my usual hoping that they're caught or otherwise stopped sooner rather than later and thinking about how I can enhance my defenses against their tactics.