Full Report
Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.
Analysis Summary
# Threat Actor: Unknown Vietnamese-Speaking Actor operating PXA Stealer
## Attribution & Identity
The threat actor is described as a Vietnamese-speaking individual or group. There is uncertainty regarding precise attribution; they have been observed active in the same environment (Telegram group) as the **CoralRaider** adversary, leading to speculation they might be CoralRaider or another Vietnamese cybercrime group. The actor uses the Telegram account **"Lone None"** which features imagery suggesting Vietnamese origin (Vietnam national flag icon, emblem of Vietnam's Ministry of Public Security). The actor is involved in selling credentials and tools in the Telegram channel **“Mua Bán Scan MINI.”**
## Activity Summary
Cisco Talos discovered a new information stealing campaign utilizing the malware **PXA Stealer**. The campaign specifically targets government organizations in European countries (Sweden, Denmark) and the education sector in India. The actor appears highly organized, marketing their tools (including source code) on various platforms and operating an underground economy selling stolen data and access.
## Tactics, Techniques & Procedures
- Custom Python malware used for credential harvesting (**PXA Stealer**).
- Use of complex obfuscation techniques on batch scripts.
- Capability to decrypt victims' browser master passwords to steal stored credentials.
- Exfiltration of data via a **Telegram bot**.
- Hosting malicious payloads on compromised or rented infrastructure via a Vietnamese SEO service provider domain.
- Distribution and sale of auxiliary malware tools (e.g., Hotmail batch creation tool, email mining tool).
- Activation mechanisms for sold tools, requiring a unique key sent to the administrator.
## Targeting
- **Sectors:** Government organizations, Education sector.
- **Geography:** Europe (specifically Sweden and Denmark), Asia (specifically India).
- **Victims:** Government organizations and educational entities.
## Tools & Infrastructure
- **Malware families used:** PXA Stealer.
- **Infrastructure (C2, domains, IPs):**
- Malicious scripts and stealer hosted on: `tvdseo[.]com` (in directories: `/file`, `/file/PXA/`, `/file/STC/`, `/file/Adonis/`).
- Data exfiltration via **Telegram Bot**.
- Attacker Telegram Bot Tokens: `7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4`, `7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs`.
- Other distribution platform for tools: `aehack[.]com`.
- **Associated Groups/Channels:** Telegram channel “Mua Bán Scan MINI”, Telegram group where CoralRaider operates, Telegram channel “Cú Black Ads – Dropship."
## Implications
This actor presents a significant threat due to their focus on high-value government and education targets, coupled with the sophisticated capabilities of PXA Stealer (including master password decryption). Furthermore, the actor's organized criminal enterprise—selling source code, offering activation keys, and utilizing underground marketplaces—suggests a motivated and technologically capable cybercrime entity potentially overlapping interests with groups like CoralRaider. They are actively monetizing their access or creating tools for others to do so.
## Mitigations
- Implement Multi-Factor Authentication (MFA) solutions like Cisco Duo to protect access, even if credentials are stolen.
- Monitor and scan for the detection signatures associated with PXA Stealer (as listed by ClamAV).
- Review network traffic for unusual data egress directed towards Telegram endpoints.
- Harden browser security configurations, especially regarding the storage of master passwords.