PXA Stealer Detection: Vietnamese Hackers Hit the Public and Education Sectors in Europe and Asia

Hot on the heels of the recent wave of cyber-attacks leveraging a highly evasive Strela Stealer in Central and Southwestern Europe, a new infostealer comes into the spotlight targeting sensitive data within the government and education sectors across Europe and Asia. Defenders have observed an ongoing info-stealing campaign attributed to Vietnamese-speaking adversaries who leverage a novel Python-based malware dubbed PXA Stealer. 

PXA Stealer Detection

According to the Google Cloud Security Forecast for 2025, there is a concerning surge in the sophistication and effectiveness of Info-stealing malware, which is expected to grow in the upcoming year. The ongoing campaign using a new infostealer, PXA Stealer, requires ultra-responsiveness of defenders due to the malware advanced capabilities and a wide attack scope spanning Europe and Asia. SOC Prime Platform for collective cyber defense offers a set of detection algorithms to help defenders thwart cyber-attacks leveraging PXA Stealer. 

All detections are mapped to MITRE ATT&CK®, enriched with relevant cyber threat context, like tailored CTI and actionable metadata, and can be applied across 30+ SIEM, EDR, and Data Lake solutions for cross-platform threat detection. Press Explore Detections to reach the corresponding vendor-agnostic Sigma rules for PXA Stealer detection.

Explore Detections

PXA Stealer Analysis

Cisco Talos researchers have identified a new information-stealing campaign led by Vietnamese-speaking hackers targeting state bodies and education organizations across Europe, including Sweden and Denmark, and Asia. Adversaries leverage a newly uncovered Python-based malware called PXA Stealer, designed to extract sensitive data such as credentials for online accounts, VPN and FTP clients, financial details, browser cookies, and information from gaming applications. The noteworthy PXA Stealer capability is decrypting the victim’s browser master password to extract stored credentials for various online accounts.

While the domain, which hosts malicious scripts and the PXA Stealer, belongs to a Vietnamese SEO service provider, it’s still unclear if attackers compromised it or intentionally used it. However, links to Vietnam are evident through Vietnamese comments within the stealer program and a hard-coded Telegram account called “Lone None,” which features an icon of Vietnam’s national flag and an image of the emblem for Vietnam’s Ministry of Public Security.

According to the investigation, adversaries leveraged a Telegram bot for data exfiltration, with the payload containing Telegram bot tokens and chat IDs under their control. In addition, researchers uncovered the attacker’s activity in the underground Telegram channel “Mua Bán Scan MINI,” where they trade Facebook and Zalo accounts, SIM cards, credentials, and money laundering data. Moreover, adversaries are linked to the “Cú Black Ads – Dropship” underground Telegram channel, promoting tools for managing user accounts, proxy services, and batch account creation. While they appear in the same Telegram group as CoralRaider, their connection to the gang remains uncertain.

Notably, hackers share automated tools in the group for managing multiple accounts, including Hotmail batch creators, email miners, and cookie modification tools. These tools, often bundled with source code for customization, are also sold on sites like aehack[.]com and promoted via a YouTube channel with usage tutorials, showcasing an organized effort to market and instruct users.

The infection flow starts with a phishing email with the ZIP attachment that contains the hidden folder and the malicious Rust loader executable, which are dropped onto the victim’s machine upon extracting an archive. The execution of the Rust loader triggers the batch scripts, which are responsible for opening the lure document, a Glassdoor job application form, while also running PowerShell commands to download and run a payload capable of disabling antivirus programs running on the host, followed by deploying the stealer itself.

PXA Stealer can decrypt the browser master key, which protects sensitive data like passwords and cookies on browsers such as Google Chrome and Chromium-based ones. This enables the attacker to access stored credentials and other browser information. It also extracts user profile paths from browsers like Mozilla Firefox and others via the profiles.ini file to retrieve saved passwords or other data. Additionally, the stealer targets credit card details from the “webappsstore.sqlite” database. 

A key feature of PXA Stealer is its focus on stealing Facebook cookies, using them to authenticate sessions and access Facebook Ads Manager and Graph API for further account and ad-related information. The campaign is also notable for employing advanced obfuscation techniques in the batch scripts, making it more difficult to detect the infection presence. 

With the growing numbers of info-stealing campaigns targeting organizations across diverse multiple business verticals and in different geographical regions, strengthening proactive defense to minimize the risks of data theft is crucial. SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection enables security teams to stay ahead of emerging threats or identify any malware presence in their environment at the earliest attack stages while improving the organization’s cyber resilience.