Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

SUMMARY :

SentinelLABS and Beazley Security uncovered a series of infostealer campaigns delivering the Python-based PXA Stealer. The malware, which first appeared in late 2024, has evolved to incorporate sophisticated anti-analysis techniques and a hardened command-and-control infrastructure. Over 4,000 unique victim IP addresses from 62 countries were identified, with South Korea, the United States, and the Netherlands being the most targeted. The stolen data includes passwords, credit card records, and browser cookies. The threat actors, linked to Vietnamese-speaking cybercriminal circles, monetize the stolen data through a subscription-based underground ecosystem that automates resale via Telegram's API. The campaign showcases the growing trend of weaponizing legitimate infrastructure for large-scale information theft and monetization.

OPENCTI LABELS :

infostealer,telegram,python,data theft,credential harvesting,pxa stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem