Vietnamese Hackers Launch New PXA Stealer Targeting Asia

A Vietnamese-speaking hacking group has been linked to a campaign deploying a new Python-based malware called PXA Stealer, which targets sensitive information from government and educational organizations across Europe and Asia.

This malware specializes in extracting login credentials, financial details, browser cookies, VPN and FTP client data, and gaming-related information.

The malware can decrypt browser master passwords to access stored credentials, making it highly effective in stealing data. Researchers traced the operation to Vietnam due to embedded Vietnamese language comments and a hard-coded Telegram account named “Lone None,” which features symbols associated with Vietnam, such as its national flag and the emblem of the Ministry of Public Security.

The attackers reportedly use Telegram groups to sell stolen credentials for platforms like Facebook and Zalo, as well as SIM cards. Some of these activities link them to CoralRaider, another threat actor active on Vietnamese Telegram channels.

While their exact relationship remains unclear, both groups appear to use similar automated tools for managing stolen accounts, including batch email creation and cookie modification utilities.

These tools are often shared or sold online via websites and YouTube tutorials that provide step-by-step instructions for their use. Such platforms actively market these utilities, making them accessible to a wider audience.

The delivery chain for PXA Stealer typically begins with a phishing email containing a ZIP file attachment. The ZIP file includes a Rust-based loader, multiple Windows batch scripts, and a decoy PDF file. When executed, the loader runs scripts to disable antivirus programs, open a fake document (such as a Glassdoor job application form), and deploy the stealer.

A unique feature of PXA Stealer is its focus on Facebook cookies, which it uses to authenticate user sessions. The malware interacts with Facebook Ads Manager and Graph API to extract additional details about accounts and advertisement activity, aligning with a recurring pattern among Vietnamese cybercriminals targeting business and advertising accounts.

This disclosure follows reports of a similar campaign involving another stealer called StrelaStealer, active since mid-2023. This malware has primarily targeted organizations in Europe, exploiting stolen email credentials to distribute phishing emails disguised as genuine invoice notifications.

Other malware families, such as RECORDSTEALER and Rhadamanthys, also continue to evolve despite global efforts to disrupt them, while newcomers like Amnesia Stealer and Glove Stealer emerge with advanced evasion techniques.

To counter the growing threat of information-stealing malware, organizations must adopt robust security practices. These include implementing multi-factor authentication (MFA) for accounts, regularly updating software, and educating employees about phishing tactics.

Network administrators should monitor for unusual activity, such as unexpected API calls or suspicious data transfers, to identify potential breaches early. Advanced threat detection systems also can help block malicious payloads like PXA Stealer before they infiltrate systems.