Follow on X RSS Feed
Malware

PXA Stealer Malware Uses Trusted Cloud Services to Exfiltrate Government and Education Credentials

Cybersec Sentinel

3 min read
PXA Stealer Malware Uses Trusted Cloud Services to Exfiltrate Government and Education Credentials

Threat Group: Vietnamese-speaking cybercrime actors (possible overlap with CoralRaider)
Threat Type: Python-based Information Stealer (Infostealer)
Exploited Vulnerabilities: DLL sideloading, phishing ZIP archives, abuse of legitimate cloud services (Cloudflare Workers, Dropbox)
Malware Used: PXA Stealer
Threat Score: 🔥 Critical (9.0/10) – Due to advanced evasion, large-scale credential theft, and abuse of trusted services
Last Threat Observation: August 6, 2025

Overview

PXA Stealer, a sophisticated Python-based information stealer, continues to present a critical threat, maintaining a 9.0/10 rating as of August 2025. It is attributed to Vietnamese-speaking cybercriminals and targets sensitive data in government and education sectors globally. Recent campaigns under "Ghost in the Zip" show significant evolution in delivery methods, prominently featuring DLL sideloading through trusted signed software (e.g., Microsoft Word 2013, Haihaisoft PDF Reader). Attackers increasingly use trusted cloud services such as Cloudflare Workers and Dropbox for Command and Control (C2) and data exfiltration.

With over 4,000 victim IPs in more than 62 countries, PXA Stealer has stolen over 200,000 credentials and millions of browser cookies. Stolen data is pushed into a Telegram-based cybercrime ecosystem facilitating financial fraud, account takeovers, and ransomware. Organisations must deploy multi-layered defences, emphasising user training, endpoint/network monitoring, patching, and specific mitigations against DLL sideloading and cloud service abuse.

Key Details

Delivery Method: Phishing emails with ZIP archives containing a Rust loader and decoy PDF. The loader uses DLL sideloading with trusted applications.

Target: Government and education institutions in Europe, Asia, North America, and increasingly broader global sectors.

Functions:

  • Decrypts browser master keys
  • Steals credentials, cookies, autofill data
  • Harvests Facebook session tokens, crypto wallet credentials
  • Abuses Cloudflare Workers, Dropbox, and Telegram for C2
  • Utilises DLL sideloading for stealth and persistence

Obfuscation: Obfuscated batch and PowerShell scripts; renamed Python payloads (e.g., svchost.exe); encoded shortcut files; exploitation of trusted software for sideloading

Attack Vectors

  • Phishing emails with ZIP attachments and decoy documents (e.g., Tax-Invoice-EV.docx)
  • DLL sideloading via trusted binaries (e.g., msvcr100.dll)
  • Use of renamed binaries to bypass user suspicion
  • Obfuscated scripts disabling AV and launching payloads
  • Persistent execution via Run keys and application-triggered DLL loads
  • Exfiltration through Telegram bots, Cloudflare Workers, Dropbox, and temp hosts like 0x0[.]st

Known Indicators of Compromise (IoCs)

MD5 Hashes

  • 393ff5839c4ce9e06079c3e7adf1cc27
  • 6510f6d274e03e177a0540d7307d7ac9
  • 9111387e575ad602c12a9bcc05f356b7
  • a1de860115ebbef7f96b089bd61bbb75
  • fe06d9599a0877a5a0031598893b577b

SHA1 Hashes

  • 05a8e10251a29faf31d7da5b9adec4be90816238
  • 06fcb4adf8ca6201fc9e3ec72d53ca627e6d9532
  • 08f517d4fb4428380d01d4dd7280b62042f9e863
  • 0c472b96ecc1353fc9259e1b8750cdfe0b957e4f
  • 1594331d444d1a1562cd955aefff33a0ee838ac9
  • 1783af05e7cd52bbb16f714e878bfa9ad02b6388
  • 185d10800458ab855599695cd85d06e630f7323d
  • 1aa5a0e7bfb995fc2f3ba0e54b59e7877b5d8fd3
  • 23c61ad383c54b82922818edcc0728e9ef6c984d
  • 345c59394303bb5daf1d97e0dda894ad065fedf6
  • 37e4039bd2135d3253328fea0f6ff1ca60ec4050
  • 3a20b574e12ffb8a55f1fb5dc91c91245a5195e8
  • 3d38abc7786a1b01e06cc46a8c660f48849b2b5f
  • 3e9198e9546fa73ef93946f272093092363eb3e2
  • 3f0071d64edd72d7d92571cf5e4a5e82720c5a9b
  • 40795ca0880ea7418a45c66925c200edcddf939e
  • 407df08aff048b7d05fd7636be3bc9baa699646d
  • 44feb2d7d7eabf78a46e6cc6abdd281f993ab301
  • 4528215707a923404e3ca7667b656ae50cef54ef
  • 4607f6c04f0c4dc4ee5bb68ee297f67ccdcff189
  • 48325c530f838db2d7b9e5e5abfa3ba8e9af1215
  • 48d6350afa5b92958fa13c86d61be30f08a3ff0c
  • 4ab9c1565f740743a9d93ca4dd51c5d6b8b8a5b6
  • 4dcf4b2d07a2ce59515ed3633386addff227f7bd
  • 5246e098dc625485b467edd036d86fd363d75aae
  • 533960d38e6fee7546cdea74254bccd1af8cbb65
  • 540227c86887eb4460c4d59b8dea2a2dd0e575b7
  • 5b60e1b7458cef383c45998204bbaac5eacbb7ee
  • 612f61b2084820a1fcd5516dc74a23c1b6eaa105
  • 61a0cb64ca1ba349550176ef0f874dd28eb0abfa
  • 6393b23bc20c2aaa71cb4e1597ed26de48ff33e2
  • 65c11e7a61ac10476ed4bfc501c27e2aea47e43a
  • 6eb1902ddf85c43de791e86f5319093c46311071
  • 70b0ce86afebb02e27d9190d5a4a76bae6a32da7
  • 734738e7c3b9fef0fd674ea2bb8d7f3ffc80cd91
  • 7c9266a3e7c32daa6f513b6880457723e6f14527
  • 7d53e588d83a61dd92bce2b2e479143279d80dcd
  • 7e505094f608cafc9f174db49fbb170fe6e8c585
  • 80e68d99034a9155252e2ec477e91da75ad4f868
  • ae8d0595724acd66387a294465b245b4780ea264
  • b53ccd0fe75b8b36459196b666b64332f8e9e213
  • ba56a3c404d1b4ed4c57a8240e7b53c42970a4b2
  • bd457c0d0a5776b43969ce28a9913261a74a4813
  • bfed04e6da375e9ce55ad107aa96539f49899b85
  • c46613f2243c63620940cc0190a18e702375f7d7
  • c5407cc07c0b4a1ce4b8272003d5eab8cdb809bc
  • c5688fc4c282f9a0dc62cf738089b3076162e8c6
  • c9a1ddf30c5c7e2697bc637001601dfa5435dc66
  • c9caba0381624dec31b2e99f9d7f431b17b94a32
  • ca6912da0dc4727ae03b8d8a5599267dfc43eee9
  • d0b137e48a093542996221ef40dc3d8d99398007
  • d1a5dff51e888325def8222fdd7a1bd613602bef
  • da210d89a797a2d84ba82e80b7a4ab73d48a07b1
  • dc6a62f0a174b251e0b71e62e7ded700027cc70b
  • deace971525c2cdba9780ec49cc5dd26ac3a1f27
  • e27669cdf66a061c5b06fea9e4800aafdb8d4222
  • e9dfde8f8a44b1562bc5e77b965b915562f81202
  • f02ae732ee4aff1a629358cdc9f19b8038e72b7b
  • f5793ac244f0e51ba346d32435adb8eeac25250c
  • f7bb34c2d79163120c8ab18bff76f48e51195d35
  • f8f328916a890c1b1589b522c895314a8939399c
  • f91e1231115ffe1a01a27ea9ab3e01e8fac1a24f
  • faf033dc60fed4fc4d264d9fac1d1d8d641af5e0
  • ff920aee8199733258bb2a1f8f0584ccb3be5ec6

SHA256 Hashes

  • 04d7cbb4a6f4152a59fba1c83b53815716f7008db0b2a4514166bfa9c4413895
  • 0cd9f10a8e644754d1c3ed624e7a3d79c738d446e3b5d1f645c4ee2d855ee4ca
  • 3e8b370b8f499f5de89bf20bce2f0890c4731b4972943cfb82691ed370d9f62a
  • 7775d00a82ec44a718d7ee5417d6097bc4315d3513303bcb9340266cc0c87f73
  • a5d0c0dfc4e3e1c157c50d1dfb7b0d376aa35fe5fcac11ce524a8ea7c9cfa54b

Domains:

  • tvdseo[.]com
    • /file/PXA/
    • /file/STC/
    • /file/Adonis/
  • 0x0[.]st (temporary payload hosting)

Cloud Services Abused:

  • Cloudflare Workers
  • Dropbox

Telegram Bot Tokens & Chat IDs:

  • 7545164691:AAEJ4E2f‐4KZDZrLID8hSRSJmR1h‐a2M4
  • Chat IDs: -1002174636072, -1002150158011, -4559798560
  • Channels: "Mua Bán Scan MINI", "Cú Black Ads – Dropship", "James_New_Ver_bot", "MRB_NEW_VER_BOT", "ADN_2_NEW_VER_BOT"

Mitigation and Prevention

User Awareness:

  • Educate users on ZIP-based phishing and disguised job offers or copyright claims

Email Filtering:

  • Block ZIP archives with embedded executables and loaders
  • Implement sandboxing for attachments

Endpoint Protection:

  • EDR/XDR with rules for obfuscated scripts and unusual DLL loading
  • Monitor Run key modifications and shortcut file creation
  • Apply custom Sigma rules targeting PXA behaviours

DLL Sideloading Defences:

  • Enforce application allowlisting
  • Block unsigned DLL execution
  • Monitor legitimate apps loading unsigned DLLs
  • Use FIM to detect changes to trusted apps

Cloud Service Monitoring:

  • Behavioural inspection of encrypted Dropbox/Cloudflare traffic
  • Engage cloud providers for abuse detection and disruption

MFA & Credential Hygiene:

  • Enforce MFA for all critical services
  • Reset exposed credentials and monitor for misuse

Patch Management:

  • Regularly update browsers, Python, wallet apps, and OS

Risk Assessment

PXA Stealer remains a critical threat due to its industrialised credential theft, advanced obfuscation, and scalable monetisation via Telegram. It serves as an initial access vector for larger campaigns, including ransomware.

Conclusion

PXA Stealer's evolution into a global, evasive, and cloud-leveraging infostealer demands constant vigilance. Defenders must adopt a layered approach, from user education to EDR/XDR and intelligence-led hunting. Blocking infrastructure alone is not sufficient; behavioural detection, continuous rule updates, and collaboration with service providers are essential to thwart this adaptable threat.

Sources: