PXA Stealer Stole 200,000 Passwords and 4 Million Cookies
Security analysts from Beazley Security and SentinelOne have uncovered a campaign distributing an updated version of PXA Stealer, a Python-based info-stealer. The malware has reportedly compromised more than 4,000 victims across 62 countries.
Believed to be operated by Vietnamese-speaking hackers, PXA Stealer is monetized through Telegram, where the stolen data is sold to other cybercriminals. The group even runs a paid subscription model, offering buyers continuous access to fresh stolen data.
“This discovery highlights significant progress in attacker tactics,” the researchers said. “Threat actors are now using advanced anti-analysis methods, decoy content to trick victims, and encrypted command infrastructure to evade detection and hinder investigations.”
Global Reach and Impact
To date, PXA Stealer has been linked to activity across over 4,000 unique IP addresses in countries including South Korea, the United States, the Netherlands, Hungary, and Austria. Stolen assets include:
- More than 200,000 passwords
- Hundreds of credit card records
- Over 4 million browser cookies
Initially discovered by Cisco Talos in November 2024, the malware was originally aimed at government and education sectors across Europe and Asia. PXA Stealer is capable of harvesting:
- Login credentials
- Browser autofill data
- Cryptocurrency wallet keys
- Banking and financial app credentials
Once harvested, the stolen data is transmitted back to the attackers via Telegram bots. It is then resold on underground platforms like Sherlock, where logs are packaged and sold for crypto theft and follow-up attacks against organizations.
Evolved Tactics in 2025
In 2025, analysts observed a marked increase in the sophistication of PXA Stealer’s distribution tactics. Operators now employ:
- DLL side-loading to disguise malware
- Multi-stage loaders to delay detection
- Signed software decoys to gain initial trust
A notable example occurred in April 2025, when attackers sent phishing emails containing an archive. The archive included a legitimate copy of Haihaisoft PDF Reader bundled with a malicious DLL file. Once executed, the DLL silently initiated the infection chain, displayed a fake copyright violation notice to distract the user, and installed the stealer in the background.
Technical Capabilities
The updated PXA Stealer can now:
- Extract cookies from Gecko and Chromium-based browsers by injecting into active processes (bypassing App-Bound Encryption)
- Harvest data from VPN clients, cloud CLI tools, Discord, and network shares
- Maintain stealth through encrypted communication and use of trusted infrastructure
The malware also leverages Telegram’s bot API for communication:
“PXA Stealer uses bot tokens (TOKEN_BOT) to connect to Telegram channels (CHAT_ID),” researchers explained. “Each ChatID links to a different operator-controlled channel. This setup automates data exfiltration and enables streamlined resale, allowing stolen information to be quickly delivered to other actors in the cybercrime ecosystem.”
