Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

PXA Stealer

pxastealer
150
Global rank
102 infographic chevron month
Month rank
93 infographic chevron week
Week rank
0
IOCs

PXA Stealer is an information-stealing malware that targets individuals and organizations in 60+ countries. It spreads via phishing, archives, and fake software updates. DLL sideloading, decoy documents, and obfuscation help it evade security tools. Exfiltrated data is exfiltrated and monetized through underground marketplaces.

Stealer
Type
Unknown
Origin
1 November, 2024
First seen
2 April, 2026
Last seen

How to analyze PXA Stealer with ANY.RUN

Stealer
Type
Unknown
Origin
1 November, 2024
First seen
2 April, 2026
Last seen

IOCs

Last Seen at
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
auto
stealer
redline
meterpreter
generic
cryptowall
evasion
salatstealer
rustme
keylogger
loader
metasploit
backdoor
python
anti-evasion
rat
njrat
bladabindi
autoit
arch-exec
pxastealer
telegram
jeefo
xworm
dcrat
blankgrabber
screenshot
quasar
hijackloader
amadey
discord
lumma
exfiltration
eicar-test
susp-powershell
nanocore
pastebin
donutloader
rust
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
loader
stealer
arch-exec
rustme
keylogger
cryptowall
evasion
salatstealer
auto
redline
generic
rat
njrat
bladabindi
python
anti-evasion
autoit
telegram
pxastealer
xworm
dcrat
jeefo
eicar-test
blankgrabber
hijackloader
screenshot
amadey
discord
exfiltration
lumma
susp-powershell
phish-ml-docx
pastebin
nanocore
30 March, 2026
Malicious activity
virs.zip
auto
xworm
rat
arch-exec
loader
generic
hausbomber
stealer
stealc
arch-scr
github
evasion
phishing
nsminer
miner
anti-evasion
inno
installer
remote
delphi
python
netreactor
rustdesk
rmm-tool
telegram
pxastealer
crypto-regex
meterpreter
discord
pastebin
adware
ftp
jeefo
blankgrabber
njrat
bladabindi
clickfix
barys
screenshot
discordrat
cryptowall
ransomware
remcos
quasar
autoit
cryptolocker
formbook
phorphiex
botnet
agenttesla
phorpiex
cobaltstrike
tool
xfiles
santastealer
mirai
antivm
golang
websocket
25 March, 2026
Malicious activity
quickdocshare.com
pxastealer
23 March, 2026
Malicious activity
0c4df034-e34e-440e-8430-73719a1201c1
pxastealer
19 March, 2026
Malicious activity
Synaptics.exe
xred
backdoor
hausbomber
loader
arch-exec
github
delphi
evasion
xmrig
miner
pastebin
winring0-sys
vuln-driver
auto
redline
stealer
coinminer
autoit
dyndns
salatstealer
amadey
botnet
discord
python
quasar
nuitka
websocket
pythonstealer
ms-smartcard
chromelevator
hacktool
inject
remcos
rat
generic
arch-doc
anti-evasion
remote
rustdesk
rmm-tool
stealc
exela
screenshot
gotohttp
xworm
telegram
pxastealer
shifu
banking
smb
scan
smbscan
vidar
lumma
braodo
phishing
darkstealer
heodo
neshta
xor-url
upx
hijackloader
braincipher
ransomware
bdaejec
clickfix
cryptowall
12 March, 2026
Malicious activity
limewire.com
possible-phishing
phish-url
auto
generic
doc-url
python
telegram
stealer
rat
evasion
pxastealer
api-base64
ims-api
10 March, 2026
Malicious activity
a64d649b-c836-4b1f-9e43-2bdde1918837
auto
generic
python
telegram
stealer
api-base64
ims-api
rat
pxastealer
evasion
TRACK THEM ALL AT
Public Submissions
Last Seen at
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
auto
stealer
redline
meterpreter
generic
cryptowall
evasion
salatstealer
rustme
keylogger
loader
metasploit
backdoor
python
anti-evasion
rat
njrat
bladabindi
autoit
arch-exec
pxastealer
telegram
jeefo
xworm
dcrat
blankgrabber
screenshot
quasar
hijackloader
amadey
discord
lumma
exfiltration
eicar-test
susp-powershell
nanocore
pastebin
donutloader
rust
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
loader
stealer
arch-exec
rustme
keylogger
cryptowall
evasion
salatstealer
auto
redline
generic
rat
njrat
bladabindi
python
anti-evasion
autoit
telegram
pxastealer
xworm
dcrat
jeefo
eicar-test
blankgrabber
hijackloader
screenshot
amadey
discord
exfiltration
lumma
susp-powershell
phish-ml-docx
pastebin
nanocore
30 March, 2026
Malicious activity
virs.zip
auto
xworm
rat
arch-exec
loader
generic
hausbomber
stealer
stealc
arch-scr
github
evasion
phishing
nsminer
miner
anti-evasion
inno
installer
remote
delphi
python
netreactor
rustdesk
rmm-tool
telegram
pxastealer
crypto-regex
meterpreter
discord
pastebin
adware
ftp
jeefo
blankgrabber
njrat
bladabindi
clickfix
barys
screenshot
discordrat
cryptowall
ransomware
remcos
quasar
autoit
cryptolocker
formbook
phorphiex
botnet
agenttesla
phorpiex
cobaltstrike
tool
xfiles
santastealer
mirai
antivm
golang
websocket
25 March, 2026
Malicious activity
quickdocshare.com
pxastealer
23 March, 2026
Malicious activity
0c4df034-e34e-440e-8430-73719a1201c1
pxastealer
19 March, 2026
Malicious activity
Synaptics.exe
xred
backdoor
hausbomber
loader
arch-exec
github
delphi
evasion
xmrig
miner
pastebin
winring0-sys
vuln-driver
auto
redline
stealer
coinminer
autoit
dyndns
salatstealer
amadey
botnet
discord
python
quasar
nuitka
websocket
pythonstealer
ms-smartcard
chromelevator
hacktool
inject
remcos
rat
generic
arch-doc
anti-evasion
remote
rustdesk
rmm-tool
stealc
exela
screenshot
gotohttp
xworm
telegram
pxastealer
shifu
banking
smb
scan
smbscan
vidar
lumma
braodo
phishing
darkstealer
heodo
neshta
xor-url
upx
hijackloader
braincipher
ransomware
bdaejec
clickfix
cryptowall
12 March, 2026
Malicious activity
limewire.com
possible-phishing
phish-url
auto
generic
doc-url
python
telegram
stealer
rat
evasion
pxastealer
api-base64
ims-api
10 March, 2026
Malicious activity
a64d649b-c836-4b1f-9e43-2bdde1918837
auto
generic
python
telegram
stealer
api-base64
ims-api
rat
pxastealer
evasion
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
From Reactive to Proactive: 5 Steps to SOC Ma...
watchers 1154
comments 0
post image
Major Cyber Attacks in March 2026: OAuth Phis...
watchers 1745
comments 0
post image
Release Notes: Cross-Platform Threat Analysis...
watchers 3149
comments 0

Contents

  • PXA Stealer Targeting High-Value Data
  • Key takeaways
  • What is PXA Stealer malware?
  • PXA Stealer malware technical details
  • PXA Stealer victimology
  • PXA Stealer execution process
  • PXA Stealer malware distribution methods
  • Gathering Threat Intelligence on PXA Stealer Malware
  • Conclusion

Recent blog posts

post image
From Reactive to Proactive: 5 Steps to SOC Ma...
watchers 1154
comments 0
post image
Major Cyber Attacks in March 2026: OAuth Phis...
watchers 1745
comments 0
post image
Release Notes: Cross-Platform Threat Analysis...
watchers 3149
comments 0

PXA Stealer Targeting High-Value Data

Key takeaways

  1. PXA Stealer is an infostealer that primarily targets credentials, browser data, and financial information.
  2. Its methods include DLL sideloading, multi-stage archives, phishing, and legitimate files abuse.
  3. Targeted industries include education and government entities.
  4. Some variants maintain persistence through RAT components or by running alongside legitimate programs.
  5. Stolen information is monetized on underground marketplaces.
  6. Analysts can use ANY.RUN’s Interactive Sandbox to expose PXA Stealer. View analysis in ANY.RUN Sandbox

analysis in Sandbox

PXA Stealer analysis in ANY.RUN’s Interactive Sandbox

  1. Browse data on PXA Stealer in Threat Intelligence Lookup to identify and monitor its variants.

Search results in TI

Overview of PXA Stealer results in TI Lookup

What is PXA Stealer malware?

PXA Stealer is designed to harvest sensitive data through malicious software updates, attachments, and phishing links.

In 2024, a large-scale campaign driven by PXA Stealer unfolded. It was deployed as the final payload successfully stealing high-value data, including credentials and financial data via automated bot networks. Over 4,000 users were impacted by this operation, with 200,000+ passwords stolen.

Threat actors behind the malware are believed to be Vietnamese-speaking cybercriminals, based on code comments and Telegram account data linked to the attack.

The initial sideloading-based distribution through legitimate executables paired with a malicious DLL further evolved to include anti-analysis measures and decoys. The general attack methods haven’t changed. Threat actors demonstrated the ability to improve the malware, refining initial access and obfuscation methods.

Stolen data is subsequently monetized through underground marketplaces.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

PXA Stealer malware technical details

The primary functionality and feature of malware:

PXA Stealer spreads via DLL sideloading and multi-stage payloads in archived files (e.g., Ghost in the Zip campaign).

During 2025, threat actors continued to refine their initial access and evasion techniques. They started to use benign documents (like PDFs) and legitimate software as decoy for more convincing DLL execution. Such elaborate, layered attacks are harder to detect both by endpoint security tools and analysts.

PXA variants are generally not persistence-oriented. Their primary goal is to steal data in one go and exit. However, in several campaigns additional persistence was achieved by extra tools like RAT components. Persistence was also maintained as the malware stayed active alongside the legitimate program that carried the malicious DLL.

Anti-analysis methods include the abuse of legitimate files and software to distract users and analysts. Layered and nested archives, the mixing of benign and malicious objects – all this contributes to the delay of detection.

As for PXA variants that come with RATs, these often include deeper obfuscations, such as multi-layer encoding and fragmented execution stages, making the reconstruction of execution flow even more complex.

For exfiltration of stolen data, PXA uses legitimate cloud messaging platforms, most often Telegram API and controlled C2 infrastructure.

PXA Stealer victimology

A number victims of PXA Stealer are private individuals, but a large proportion are organizations, particularly educational and government organizations from Asian (e.g., South Korea) and European (e.g. Sweden, Denmark, the Netherlands) countries, as well as the US. The total range of victim’s geography includes over 60 countries.

PXA Stealer execution process

See how PXA Stealer attack unfolds in a VM: View analysis in ANY.RUN Sandbox

The attack starts with the delivery of a large archive that contains an .exe file with a malicious DLL library.

PXA Stealer in Sandbox Archived file that includes PXA Stealer as seen in ANY.RUN”s Interactive Sandbox

Upon the execution, the DLL activates and creates a script, which begins to unfold the payload. In particular, the .CMD script uses Windows’ certutil utility to decode and extract an encrypted .RAR archive embedded into a corrupted PDF file.

The next step: certutil extracts base64-coded content from the PDF and transforms it into a new archive file – Invoice.pdf (RAR-archived).

After that, WinRar’s package utility masquerading as images.png file extracts the archive using predefined parameters and password.

PXA Stealer in Sandbox 2 images.png file: the disguised WinRar’s package utility. ANY.RUN’s Sandbox

Now several dependencies for Python environment are unpacked, including a renamed legitimate Python 3.10 interpreter under the disguise of svchost.exe.

PXA Stealer in Sandbox 3 Malicious Python script hidden in images.png. ANY.RUN Sandbox

Finally, the Python script is initialized and sets a Run registry key.

PXA Stealer in Sandbox 4 Malicious Python script initialized. ANY.RUN Sandbox

Once launched, the script proceeds to conduct standard functions of a stealer for data harvesting.

PXA Stealer in Sandbox 5 PXA Stealer-associated data stealing processes. ANY.RUN Sandbox

PXA Stealer malware distribution methods

PXA Stealer is most commonly distributed through:

  • Phishing emails or messages on apps/social platforms

They contain archive attachments, inside of which there’s a legitimate file + a malicious DLL for sideloading. When a user launches the executable, the malicious DLL loads automatically.

  • Download links

Threat actors also use malicious links shared via file-sharing or cloud storage services, as this allows them to bypass email filters.

  • Files shared on corporate networks (user-initiated)

Notably, as PXA Stealer seemed to targeted government and educational institutions, in some cases it was distributed through internal messaging and storage systems.

  • Fake software updates

PXA also spreads through the delivery of legitimate software update files with a malicious DLL in a bundle.

Gathering Threat Intelligence on PXA Stealer Malware

Gain actionable insights on PXA Stealer by browsing Threat Intelligence Lookup that provides:

  • Instant identification of suspicious files, URLs, domains, and IPs linked to PXA Stealer

  • Overview of related IOCs, IOBs, IOAs to facilitate threat hunting

  • Links to live sandbox investigations of PXA Stealer for deeper analysis

  • Insights into C2 connections, exfiltration methods, and distribution techniques

  • Streamlined incident response through immediate access to verified threat intelligence

Follow this link or copy the query to browse TI Lookup:

threatName:"PXA Stealer"

Search results in TI

Overview of PXA Stealer results in TI Lookup

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

PXA Stealer remains high‑risk information‑stealing threat that abuses legitimate executables to evade detection. It exfiltrates credentials, browser data, cookies, and financial information, enabling account takeover, fraud, and further intrusions. Educational and government institutions seems to be especially endangered.

Adopt a proactive defense strategy with ANY.RUN to mitigate the business risks:

  • Analyze suspicious files, archives, and multi‑stage payload chains in sandboxing solutions such as ANY.RUN’s Interactive Sandbox
  • Track emerging PXA Stealer campaigns and strengthen detection across your environment in Threat Intelligence Lookup, a browsable collection of fresh IOCs and IOBs sourced from live investigations by over 15,000 SOC teams.

Get 50 trial request and start gathering actionable intelligence in TI Lookup. Sign up now

HAVE A LOOK AT

WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More