Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Description

SentinelLABS and Beazley Security uncovered a series of infostealer campaigns delivering the Python-based PXA Stealer. The malware, which first appeared in late 2024, has evolved to incorporate sophisticated anti-analysis techniques and a hardened command-and-control infrastructure. Over 4,000 unique victim IP addresses from 62 countries were identified, with South Korea, the United States, and the Netherlands being the most targeted. The stolen data includes passwords, credit card records, and browser cookies. The threat actors, linked to Vietnamese-speaking cybercriminal circles, monetize the stolen data through a subscription-based underground ecosystem that automates resale via Telegram's API. The campaign showcases the growing trend of weaponizing legitimate infrastructure for large-scale information theft and monetization.