In a widespread cyber campaign, the PXA Stealer malware has infected over 4,000 victims across 62 countries, leading to significant data breaches that compromise passwords, credit card information, and browser cookies. The stealthy infostealer is associated with Vietnamese-speaking cybercriminals operating on Telegram marketplaces, where the stolen data is sold.
SentinelLabs and Beazley Security revealed findings in a recent report emphasizing the escalation of this threat since its emergence in late 2024. The report indicates that personal and financial information from victims is being systematically pilfered and is offering criminals easy access to sensitive data including bank accounts and digital identities. According to sources, more than 200,000 unique passwords and hundreds of credit card records have been compromised.
The attackers have demonstrated a capacity for sophistication, utilizing various techniques to evade detection. According to the report by SentinelLabs, the criminals have adopted advanced evasion tactics, including the misuse of legitimate software to sideload malicious DLLs, thereby concealing their true intentions. Notably, the attackers have refined their methods, particularly in an April attack wave that involved phishing emails delivering a signed copy of Haihaisoft PDF Reader embedded with malicious components.
Subsequent attacks in July further showcased the criminals’ adaptation, employing decoy documents along with legitimate Microsoft Word executables to initiate infection chains. Through these cunning strategies, the PXA Stealer has become a formidable threat, capable of exploiting vulnerabilities in both traditional applications as well as cryptocurrency infrastructure, targeting wallets and financial service information. This ongoing threat highlights the critical need for improved cybersecurity measures to protect private information against evolving cyber threats.