The Python Predator: PXA Stealer Surges 10% as it Targets Global Finance and Crypto in 2026
Ddos 
Following the high-profile takedowns of major players like Lumma and RedLine in 2025, CyberProof MDR analysts have identified a “significant surge in PXA Stealer activity targeting global financial institutions during Q1 2026”. Filling the vacuum left by its predecessors, this malware has seen an estimated growth of 8-10% as it aggressively targets sensitive banking and crypto data.
The attack typically begins with an email. Threat actors are demonstrating “high levels of adaptability, utilizing diverse lures ranging from curriculum vitae and Adobe Photoshop installers to tax forms and legal documentation”. These emails contain malicious URLs that trick users into downloading compromised ZIP attachments, such as one recently discovered by researchers named Pumaproject.zip.
Once a user executes the file inside the archive—often deceptively named something like Document.docx.exe—the malware launches a sophisticated multi-stage attack. The PXA Stealer is a master of disguise, utilizing legitimate Windows tools (LOLBins) and renaming its own malicious components to appear benign.
Key stages of the technical “kill chain” include:
- Hidden Directories: The malware creates a hidden folder, such as one named “Dots,” to house its component files.
- Living off the Land: It uses the Windows utility certutil to “decode a file from the ‘Dots’ folder into a new encrypted zip archive that is deceptively named with a PDF file extension”.
- Disguised Interpreters: The malware extracts a portable Python interpreter but renames it to svchost.exe—a common Windows system process—to avoid raising red flags in the Task Manager.
The ultimate goal of the PXA Stealer is total data acquisition. Once the environment is prepared, the payload is “injected into browsers to target user credentials and crypto wallets”.
Beyond browser data, researchers found that the malware even targets active sessions:
“WINWORD.EXE is monitoring user keystrokes using hooking”.
By hooking into the keyboard, the stealer can log every character a user types, ensuring that even if a password isn’t saved in a browser, the attackers can still capture it as it’s entered.
Rather than relying on traditional Command and Control (C2) servers that are easily blocked, PXA Stealer leverages the popular messaging app Telegram. Stolen data—including “browser data, passwords, crypto wallet information and more”—is packaged and exfiltrated through Telegram channels.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
