A novel Python-based PXA stealer distributed through Telegram has reportedly compromised 200,000 unique passwords alongside numerous credit card details.

A sophisticated new cybercriminal campaign has emerged, utilising a Python-based information stealer known as PXA Stealer to orchestrate one of the most extensive data theft operations observed in recent months. The malware, which first surfaced in late 2024, has evolved into a highly evasive multi-stage operation that has successfully compromised over 4,000 unique victims across 62 countries. The stolen data includes more than 200,000 unique passwords, hundreds of credit card records, and over 4 million harvested browser cookies. This campaign represents a significant leap in cybercriminal tradecraft, incorporating advanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline designed to frustrate security analysis and delay detection. The threat actors behind this operation have demonstrated remarkable adaptability, continuously refining their delivery mechanisms and evasion strategies throughout 2025.

Most notably, they have adopted novel sideloading techniques involving legitimate signed software such as Haihaisoft PDF Reader and Microsoft Word 2013, concealing malicious DLLs and embedding archives disguised as common file types. The geographic distribution of victims reveals a truly global impact, with South Korea, the United States, the Netherlands, Hungary, and Austria being the most heavily targeted regions. Analysts from SentinelLABS identified the operation as being orchestrated by Vietnamese-speaking cybercriminal circles, which have developed a sophisticated subscription-based underground ecosystem that efficiently automates the resale and reuse of stolen credentials through Telegram’s API infrastructure. What distinguishes this campaign from typical information-stealing operations is its integration with a comprehensive monetisation framework. The stolen data feeds directly into criminal platforms such as Sherlock, where it is normalised, categorised, and made available for purchase by downstream cybercriminals, creating a self-sustaining criminal economy.