PXA Stealer
Intelligence Profile
PXA Stealer is an information-stealing malware written in Python, identified by Cisco Talos in an active campaign attributed to a Vietnamese-speaking threat actor (2024). The stealer targets sensitive data such as credentials for online accounts, VPN and FTP clients, financial information, browser cookies, and gaming-related data. Notably, PXA Stealer is capable of decrypting browser master passwords to exfiltrate stored credentials. The campaign leverages heavily obfuscated batch scripts for delivery and execution. The actor behind this operation is linked to the Telegram channel “Mua Bán Scan MINI,” known to host credential trade and cybercrime activity. While there are connections to the CoralRaider adversary, attribution to this group remains unconfirmed. In q2 2025 PXA stealer was observed to target Italy.
Threat Analysis
PXA Stealer is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.
Financially motivated threat actors like PXA Stealer prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, PXA Stealer is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.