Cybersecurity experts are warning about a new wave of cyberattacks involving PXA Stealer, a sophisticated info-stealing malware now spreading rapidly across multiple countries. Originally detected by Cisco Talos researchers, PXA Stealer, written in Python was initially deployed against government agencies and educational institutions in Europe and Asia.
However, its operators, believed to be Vietnamese-speaking cybercriminals, have shifted focus to everyday users in the U.S., South Korea, the Netherlands, Hungary, and Austria.
According to SentinelOne, the campaign has already compromised over 4,000 unique IP addresses in 62 countries. The malware is designed to harvest browser-stored passwords, cookies, credit card information, autofill data, cryptocurrency wallet keys, and credentials from applications like Discord.
Sideloading Tactics to Evade Detection
The attackers are leveraging “sideloading” techniques to bypass antivirus detection.
Victims are lured through phishing sites or tricked into downloading ZIP archives containing a legitimate, signed copy of Haihaisoft PDF Reader alongside a malicious DLL file. Once installed, the DLL ensures persistence via the Windows Registry and downloads additional payloads often hosted on platforms like Dropbox.
When the PDF reader is launched, the malware executes a script that prompts Microsoft Edge to open a booby-trapped PDF file. Although the file triggers an error message instead of displaying content, the infection process is already complete.
In another variation of the campaign, a fake Microsoft Word 2013 executable is sent as an email attachment.
It looks like a standard document but executes a different DLL with the same malicious objective deploying PXA Stealer.
Telegram Used for Data Theft
Once the malware collects the stolen data, it transmits it via Telegram to the attackers, who then sell the information on underground forums and the dark web.
Experts advise extreme caution with unsolicited emails, links, and attachments, even when they appear legitimate. Hovering over links to check their destination and avoiding downloads from unknown senders are essential safety steps. Users are also urged not to store sensitive information such as passwords or credit card details in their web browsers. Instead, dedicated password managers and secure payment methods are recommended.
While antivirus tools remain an important layer of defence, the advanced evasion methods used in this campaign highlight the need for strong user vigilance. With PXA Stealer’s shift from targeting high-profile organisations to everyday users, security professionals warn that more variants of the malware may emerge in future attacks.
