Full Report
PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.
Analysis Summary
# Tool/Technique: PXA Stealer
## Overview
PXA Stealer is a Python-based infostealer observed in large-scale campaigns, often used as a final payload. It is part of a sophisticated, multi-stage operation tracked since late 2024, characterized by advanced evasion techniques and an automated monetization pipeline leveraging the Telegram platform.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Inferred from sideloading techniques and use of common Windows software targets like Microsoft Word 2013)
- Capabilities: Data exfiltration (passwords, browser autofill, cryptocurrency wallet/FinTech app data), C2 communication via Telegram API, evasion against analysis tools.
- First Seen: Late 2024
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* **TA0003 - Persistence**
* T1547 - Boot or Logon Autostart Execution
* T1547.001 - Registry Run Keys / Startup Folder (Implied via persistence mechanism noted)
* **TA0005 - Defense Evasion**
* T1071 - Application Layer Protocol
* T1071.001 - Web Protocols (Using legitimate services like Dropbox for hosting)
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel (Exfiltration via Telegram API)
## Functionality
### Core Capabilities
- Steals high-value data including passwords, browser autofill data, cryptocurrency wallet data, and FinTech application data.
- Exfiltrates stolen data to Telegram channels using automated bot networks.
### Advanced Features
- **Evasive Delivery:** Utilizes novel sideloading techniques involving legitimate, signed third-party software (e.g., Haihaisoft PDF Reader, Microsoft Word 2013) to hide malicious DLLs.
- **Staging Layers:** Employs elaborate staging layers to obscure the final payload's purpose and delay detection.
- **Automated Monetization:** Feeds stolen data into an organized, Telegram-based underground ecosystem for automated resale (e.g., integration with platforms like Sherlock).
- **Payload Evolution:** Shifted from Windows executables to Python-based payloads in later stages.
## Indicators of Compromise
- File Hashes: *(None provided in the context)*
- File Names: *(Inferred payloads/droppers are heavily variant/archived)*
- Registry Keys: Persistence is established via the Windows Registry (specific keys not detailed).
- Network Indicators:
- C2/Hosting:
- te lp2tpju9yrz2fklj[.]lone-none-1807[.]workers[.]dev (Cloudflare Worker)
- URLs for Payloads/Scripts:
- hxxps://0x0[.]st/8nyT[.]py
- hxxps://0x0[.]st/8dxc[.]py
- hxxps://0x0[.]st/8GcQ[.]py
- hxxps://0x0[.]st/8GpS[.]py
- hxxps://0x0[.]st/8ndd[.]py
- hxxps://0x0[.]st/8GcO[.]py
- hxxps://0x0[.]st/8GsK[.]py
- hxxps://paste[.]rs/yd2sV
- hxxps://paste[.]rs/umYBi
- hxxps://paste[.]rs/qDTxA
- hxxps://paste[.]rs/Plk1y
- hxxps://paste[.]rs/5DJ0P
- hxxps://paste[.]rs/oaCzj
- hxxps://www[.]dropbox[.]com/scl/fi/c1abtpif2e6calkzqsrbj/[.]dll?rlkey=9h1ar7wmsg407ngpl25xv2spt&st=mp7z58v2&dl=1
- Behavioral Indicators: Use of signed, legitimate software (Haihaisoft PDF Reader, Microsoft Word 2013) to sideload malicious DLLs; retrieving additional components from Dropbox.
## Associated Threat Actors
- Vietnamese-speaking cybercriminal circles.
## Detection Methods
- Signature-based detection: Likely ineffective due to continuous payload updates.
- Behavioral detection: Crucial for detecting the initial sideloading stage involving legitimate applications loading untrusted DLLs, and monitoring network communication to Telegram API for exfiltration.
- YARA rules: *(Not provided in the context)*. Rules should target Python bytecode characteristics or known command/control communication patterns.
## Mitigation Strategies
- **Application Control:** Restrict the execution of unknown or untrusted Python scripts or DLLs, especially those loaded in the context of common applications.
- **Endpoint Hardening:** Implement controls to prevent DLL sideloading if possible, or monitor for applications loading unrelated libraries from atypical locations.
- **Network Filtering:** Exercise caution or block connections to known Cloudflare Workers/Paste service domains being used for hosting or C2 communication, if feasible.
- **User Education:** Train users to be highly skeptical of archives containing software installers or archives containing executable/script content alongside legitimate-looking files.
## Related Tools/Techniques
- Predecessors/Simultaneous malware observed in the initial campaign stages: LummaC2 Stealer, Rhadamanthys Stealer.
- Weaponized infrastructure: Telegram API, Cloudflare Workers, Dropbox.