HOMETHREATSPXA Stealer
APT / THREAT GROUP💰 FINANCIALHIGH

PXA Stealer

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

PXA Stealer is an information-stealing malware written in Python, identified by Cisco Talos in an active campaign attributed to a Vietnamese-speaking threat actor (2024). The stealer targets sensitive data such as credentials for online accounts, VPN and FTP clients, financial information, browser cookies, and gaming-related data. Notably, PXA Stealer is capable of decrypting browser master passwords to exfiltrate stored credentials. The campaign leverages heavily obfuscated batch scripts for delivery and execution. The actor behind this operation is linked to the Telegram channel “Mua Bán Scan MINI,” known to host credential trade and cybercrime activity. While there are connections to the CoralRaider adversary, attribution to this group remains unconfirmed. In q2 2025 PXA stealer was observed to target Italy.

Threat Analysis

PXA Stealer is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like PXA Stealer prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, PXA Stealer is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases4

Also Known As

PXAStealerPXA Stealerpy.pxa_stealerPXA

External Intelligence

Malpedia: py.pxa_stealer

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.