A new series of attacks distributing the Python-based malware PXA Stealer is drawing attention from the cybersecurity community. According to research published by Beazley Security and SentinelOne, the operation is linked to Vietnamese-speaking actors running a Telegram-integrated underground ecosystem that monetizes stolen data through automated resale and reuse mechanisms. Multiple operational details point toward a Vietnamese-language nexus behind these threat actors, including Vietnamese comments in the code, Telegram accounts displaying Vietnam’s symbols, usernames in Vietnamese on underground forums, and BOT IDs like “Duc Anh” (meaning “brother”).
Researchers have identified that this campaign stands out for its use of benign document decoys, sideloading legitimate signed applications, and staggered payload execution, which together complicate detection and analysis. The operation has impacted victims worldwide, enabling the theft of large volumes of credentials and sensitive data. What sets it apart further is a highly automated pipeline: stolen information is funneled through Telegram channels, streamlining resale and monetization for the attackers.
Since late 2024, attackers using this malware have compromised over 4,000 IP addresses in 60+ countries. Victims include users and systems from South Korea, the U.S., Austria, Hungary, and the Netherlands. They’re not just taking passwords; logs show that over 200,000 unique credentials, credit card data, and a huge volume of browser cookies were also pulled.
Cisco Talos first spotted PXA Stealer in November 2024. This malware doesn’t just grab browser passwords; it targets autofill data, crypto wallets, VPN profiles, Discord tokens, and certain cloud service files stored locally. It’s not sweeping every file, but the high-value stuff. Stolen data is sent out using Telegram’s API and then sold on platforms like Sherlock, a well-known marketplace for these types of stolen logs. From there, attackers use the information for crypto theft and corporate breaches. The malware’s focus on tokens rather than passwords, and its use of Telegram’s API for stealthy exfiltration, show how it’s built for efficient, targeted strikes without unnecessary noise.
In 2025, the malware’s delivery has evolved beyond simple droppers. Attackers now begin by starting with trusted, signed applications that are bundled with malicious DLLs. These DLLs act as loaders in a multi-stage process that quietly prepares the system and avoids detection. Victims often see a decoy file, like a fake copyright notice, while the infection continues in the background.
The updated stealer targets Chromium browsers by injecting a DLL to bypass encryption and extract session cookies and sensitive data. It also retrieves information from VPNs, cloud CLI tools, file shares, and Discord. Once stolen, data is automatically sent to Telegram channels using a specific bot and chat IDs. Operators get instant notifications through automated bots, enabling rapid but not constant human review.
This campaign employs anti-analysis measures, like checking for sandboxes or debugging tools, and altering behavior to stay hidden. The stolen data flows through platforms like Sherlock, where buyers pay to access logs either by searching or through limited-time access, rather than through straightforward subscriptions. This carefully layered and automated setup makes the operation both stealthy and efficient.
