New PXA Stealer Campaign Hits 62 Countries with Stealthy DLL Sideloading and Telegram Exfiltration

A new report by SentinelLABS and Beazley Security unveils an expansive and rapidly evolving infostealer operation powered by a stealthy Python-based malware known as PXA Stealer. Linked to Vietnamese-speaking cybercriminals, the campaign exploits trusted software, obfuscation tactics, and legitimate cloud and messaging infrastructure to siphon sensitive data from over 4,000 victims in 62 countries, including South Korea, the U.S., and the Netherlands.

“This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection,” the report states.

Initial vectors include phishing lures delivering compressed archives packed with signed, legitimate executables such as Haihaisoft PDF Reader or Microsoft Word 2013. Alongside these are malicious DLLs that exploit Windows’ DLL sideloading behavior, enabling stealthy payload execution.

In the July 2025 campaign, victims were enticed to open a file resembling a standard Word document. Behind the scenes, Windows loaded a malicious msvcr100.dll, spawning a multi-stage attack chain that ran obfuscated scripts, exfiltrated files, and created persistence mechanisms via the Registry.

A striking feature is the use of non-malicious decoy documents, such as a fake copyright infringement notice in Tax-Invoice-EV.docx, which misleads victims and security analysts alike. Simultaneously, the malware executes certutil to decode and extract further encrypted components disguised as .pdf files.

These are unpacked using a WinRAR utility renamed to images.png, delaying sandbox detection by several minutes and causing false negatives in automated tools.

The final payload is a Python-based stealer that captures:

• Saved passwords, cookies, autofill data, and authentication tokens
• Cryptocurrency wallet contents and browser extensions
• Data from browsers including Chrome, Edge, Brave, Opera GX, CocCoc, Whale, and more
• Desktop apps like Telegram, Discord, VPNs, file-sharing tools, and FinTech platforms

“The malware targets sensitive information including credentials, financial data, browser data and cookies, and cryptocurrency wallet details,” the researchers report.

The data is then encrypted, zipped, and exfiltrated to Telegram channels via Cloudflare Worker relays, making detection difficult. Files are named in a [CC_IPADDRESS]_HOSTNAME.zip format, such as [KR_203.0.113.5]DESKTOP-VICTIM.zip.

The infrastructure is automated and commoditized. Each infostealer instance is associated with specific Telegram Bot Tokens and ChatIDs.

Channels like MRB_NEW_VER_BOT, JAMES_NEW_VER_BOT, DA_NEW_VER_BOT, and ADN_2_NEW_VER_BOT serve as data dumps, notification relays, and reset logs for operational management.

Operators also utilize Telegram automation tools like Sherlock1u_BOT, sourced from sites like probiv[.]gg, to sell and search through stolen data.

“This campaign exemplifies a growing trend in which legitimate infrastructure (e.g., Telegram, Cloudflare Workers, Dropbox) is weaponized at scale to both execute and monetize information theft.”

Analysis of exfiltrated data revealed more than 200,000 passwords, hundreds of credit cards, and over 4 million browser cookies stolen from victims across the globe. Notable hotspots include:

• South Korea
• United States
• Netherlands
• Hungary
• Austria

The Adonis bot (ADN_2_NEW_VER_BOT) alone heavily targeted victims in Israel, Taiwan, and the U.S., suggesting region-specific targeting strategies.

“Defenders must adjust to an adversary landscape defined not just by malware, but by infrastructure, automation, and real-time monetization,” the researchers warn.

Related Posts:

• PXA Stealer: New Malware Targets Governments and Education Across Europe and Asia
• LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses
• Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
• Python Developers Beware: Attackers Sneak Malware into Popular Package Manager
• Warning: Discord’s API Exploited for Malicious Takeover