LinkedIn Job Seekers Targeted by Sophisticated “PXA Stealer” Campaign

A sophisticated, financially motivated threat campaign is currently sweeping across professional networks, specifically targeting job seekers on LinkedIn. Attributed with high confidence to a Vietnam-based cybercriminal group, the campaign deploys the PXA Stealer—a multi-stage information stealer designed to harvest everything from browser credentials to cryptocurrency wallets.

The attack has already been detected across India, Bangladesh, the Netherlands, Sweden, and the United States.

The primary danger of this campaign lies in its use of LinkedIn as an initial access vector. Threat actors use compromised accounts to “impersonate legitimate job opportunities” and distribute fraudulent recruitment messages.

What makes this particularly viral is the lateral spread: once a user’s account is compromised, it is used to send the same malicious “Apex Logistics Group” job lures to their own professional connections. As the report notes, “compromising one’s LinkedIn account, especially with many connections (such as recruiters or HR personnel), can lead to an exponentially higher rate of further infection”.

The attack chain is a masterclass in operational sophistication, utilizing trusted platforms to bypass security controls.

• Platform Abuse: Victims are directed to a Google Form, then a shortened URL, and finally a Dropbox-hosted ZIP archive. At the time of discovery, the payload had zero antivirus detections on VirusTotal.
• The 100 MB “Fat” DLL: The malware executes via DLL sideloading using a legitimate Microsoft Word binary (winword.exe). To evade automated scanners that skip large files to save resources, the malicious DLL is “artificially inflated to approximately 100 MB”.
• In-Memory Execution: The final payload “executes entirely in memory, minimizing disk artifacts and complicating forensic detection”.

PXA Stealer is a “vacuum” for sensitive data. Within minutes of execution, it exfiltrates:

• Credentials: Browser-stored passwords, session cookies (allowing MFA bypass), and email client data.
• Financial Assets: Cryptocurrency wallets (including Phantom, MetaMask, and Ledger Live) and hardware wallet artifacts.
• Identity: Two-factor authentication (2FA) tokens and authenticator data.

To further hide its tracks, the malware “dynamically retrieves its C2 infrastructure from an encrypted Telegram channel” and masquerades its traffic as Chinese government infrastructure to confuse analysts.

The malware stays on a system by creating a scheduled task that mimics a “legitimate Microsoft Edge update process,” allowing it to blend in with normal system operations.