SentinelLABS and Beazley Security uncovered a large-scale infostealer campaign leveraging the Python-based PXA Stealer, involving sophisticated deployment and evasion techniques to steal sensitive data from over 4,000 victims worldwide. The threat actors, linked to Vietnamese-speaking cybercriminal groups, monetize the stolen data through Telegram-based underground marketplaces, utilizing legitimate infrastructure to automate exfiltration and resale. #PXAStealer #Telegram #HaihaisoftSideloading
Keypoints
- Discovered a rapidly evolving infostealer campaign using the Python-based PXA Stealer active since late 2024, targeting victims in at least 62 countries including South Korea, the US, and the Netherlands.
- The threat actors employ advanced sideloading techniques involving legitimate signed software like Haihaisoft PDF Reader and Microsoft Word 2013 to execute malicious DLLs and Python payloads.
- PXA Stealer exfiltrates a variety of sensitive data such as passwords, credit card records, browser cookies, cryptocurrency wallet data, and app configurations via Telegram channels and Cloudflare Workers.
- The campaign uses decoy non-malicious documents and layered obfuscation to delay detection and mislead security analysts and automated defenses.
- The stolen data ecosystem is monetized through a subscription-based underground marketplace integrated with Telegram bots and channels, with bot IDs linked to various geographic victim distributions.
- Multiple Telegram Bot Tokens and Chat IDs are used for data exfiltration, notifications, and log management, all transmitted over encrypted HTTPS connections to evade detection.
- Indicators of Compromise include numerous file hashes related to droppers, side-loaded DLLs, Python stealer scripts, and infrastructure domains such as paste[.]rs, 0x0[.]st, and a malicious Cloudflare Worker domain.
MITRE Techniques
- [T1071] Application Layer Protocol – PXA Stealer uses HTTPS to exfiltrate stolen data via Telegram API, hiding traffic within legitimate communication channels (‘PXA Stealer transmits data via HTTP POST requests to the Telegram API…via HTTPS’).
- [T1566] Phishing – Initial infection occurs through phishing lures delivering archives containing signed software and malicious payloads (‘users were phished or otherwise lured into downloading a compressed archive containing a signed copy of Haihaisoft PDF Reader and malicious DLL’).
- [T1036] Masquerading – Malicious Python interpreter is renamed svchost.exe to blend with legitimate system processes (‘the legitimate Python 3.10 interpreter renamed svchost.exe’).
- [T1105] Ingress Tool Transfer – Additional malicious components are downloaded from external sources like Dropbox and Paste[.]rs (‘retrieving additional malicious components…hosted remotely on Dropbox’; ‘download URL hosting another payload on paste[.]rs’).
- [T1055] Process Injection – PXA Stealer injects DLLs into running browser processes to defeat internal encryption schemes (‘infostealer will also attempt to inject a DLL into running instances of browsers such as Chrome…to defeat encryption schemes’).
- [T1574] Hijack Execution Flow – DLL sideloading techniques are used with legitimate signed applications (‘delivery of a large archive containing the signed copy of Haihaisoft PDF Reader alongside the malicious DLL to be sideloaded’).
- [T1112] Modify Registry – Persistence is established via Registry Run keys (‘set a Registry Run key to ensure the payload will run each time the computer starts’).
- [T1560] Archive Collected Data – Collected information is packaged into ZIP archives before exfiltration (‘The collected data is packaged into ZIP archives then exfiltrated to a specific Telegram bot’).
Indicators of Compromise
- [File Hash] First-stage droppers – 05a8e10251a29faf31d7da5b9adec4be90816238, 06fcb4adf8ca6201fc9e3ec72d53ca627e6d9532, and over 50 additional hashes.
- [File Hash] Python stealer scripts – 1aa5a0e7bfb995fc2f3ba0e54b59e7877b5d8fd3, 734738e7c3b9fef0fd674ea2bb8d7f3ffc80cd91, ba56a3c404d1b4ed4c57a8240e7b53c42970a4b2, and 4 more.
- [File Hash] Side-loaded DLL – 3d38abc7786a1b01e06cc46a8c660f48849b2b5f.
- [Domain] Malicious infrastructure – paste[.]rs (code hosting), 0x0[.]st (code hosting), lp2tpju9yrz2fklj.lone-none-1807[.]workers[.]dev (Cloudflare Worker used for exfiltration).
- [URL] Python payload download URLs – hxxps://0x0[.]st/8nyT.py, hxxps://0x0[.]st/8dxc.py, hxxps://paste[.]rs/yd2sV, and similar obfuscated Python script URLs.
- [Telegram] Bot Token and Chat ID – Bot Token: 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ; Chat ID: -1002698513801 used for data exfiltration.
- [File Name] Decoy and malicious files – Tax-Invoice-EV.docx (benign decoy), msvcr100.dll (malicious DLL), Documents.pdf (encrypted archive), images.png (WinRAR executable masquerade).