Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

PXA Stealer

pxastealer
151
Global rank
84 infographic chevron month
Month rank
41 infographic chevron week
Week rank
0
IOCs

PXA Stealer is an information-stealing malware that targets individuals and organizations in 60+ countries. It spreads via phishing, archives, and fake software updates. DLL sideloading, decoy documents, and obfuscation help it evade security tools. Exfiltrated data is exfiltrated and monetized through underground marketplaces.

Stealer
Type
Unknown
Origin
1 November, 2024
First seen
8 January, 2026
Last seen

How to analyze PXA Stealer with ANY.RUN

Stealer
Type
Unknown
Origin
1 November, 2024
First seen
8 January, 2026
Last seen

IOCs

Last Seen at
8 January, 2026
Malicious activity
tr.ee
arch-doc
python
telegram
stealer
evasion
pxastealer
rat
7 January, 2026
Malicious activity
tr.ee
telegram
python
stealer
evasion
pxastealer
rat
7 January, 2026
Malicious activity
email07012026.html
arch-doc
python
telegram
stealer
evasion
pxastealer
7 January, 2026
Malicious activity
tr.ee
arch-doc
python
telegram
stealer
evasion
pxastealer
rat
7 January, 2026
Malicious activity
tinyurl.com
arch-exec
pxastealer
7 January, 2026
Malicious activity
tinyurl.com
arch-exec
pxastealer
6 January, 2026
Suspicious activity
POTENTIAL SPAM.msg
arch-exec
pxastealer
blind-copy
6 January, 2026
Malicious activity
pixeldrain.com
arch-exec
pxastealer
arch-doc
blind-copy
attachments
attc-unc
susp-attachments
python
anti-evasion
stealer
purecrypter
rat
6 January, 2026
Suspicious activity
POTENTIAL SPAM.msg
arch-exec
pxastealer
31 December, 2025
Malicious activity
tr.ee
arch-exec
python
telegram
stealer
pxastealer
evasion
arch-doc
rat
TRACK THEM ALL AT
Public Submissions
Last Seen at
8 January, 2026
Malicious activity
tr.ee
arch-doc
python
telegram
stealer
evasion
pxastealer
rat
7 January, 2026
Malicious activity
tr.ee
telegram
python
stealer
evasion
pxastealer
rat
7 January, 2026
Malicious activity
email07012026.html
arch-doc
python
telegram
stealer
evasion
pxastealer
7 January, 2026
Malicious activity
tr.ee
arch-doc
python
telegram
stealer
evasion
pxastealer
rat
7 January, 2026
Malicious activity
tinyurl.com
arch-exec
pxastealer
7 January, 2026
Malicious activity
tinyurl.com
arch-exec
pxastealer
6 January, 2026
Suspicious activity
POTENTIAL SPAM.msg
arch-exec
pxastealer
blind-copy
6 January, 2026
Malicious activity
pixeldrain.com
arch-exec
pxastealer
arch-doc
blind-copy
attachments
attc-unc
susp-attachments
python
anti-evasion
stealer
purecrypter
rat
6 January, 2026
Suspicious activity
POTENTIAL SPAM.msg
arch-exec
pxastealer
31 December, 2025
Malicious activity
tr.ee
arch-exec
python
telegram
stealer
pxastealer
evasion
arch-doc
rat
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
Integrating a Malware Sandbox into SOAR Workf...
watchers 693
comments 0
post image
5 Ways MSSPs Can Win Clients in 2026
watchers 601
comments 0
post image
Release Notes: AI Sigma Rules, Live Threat La...
watchers 1154
comments 0

Contents

  • PXA Stealer Targeting High-Value Data
  • Key takeaways
  • What is PXA Stealer malware?
  • PXA Stealer malware technical details
  • PXA Stealer victimology
  • PXA Stealer execution process
  • PXA Stealer malware distribution methods
  • Gathering Threat Intelligence on PXA Stealer Malware
  • Conclusion

Recent blog posts

post image
Integrating a Malware Sandbox into SOAR Workf...
watchers 693
comments 0
post image
5 Ways MSSPs Can Win Clients in 2026
watchers 601
comments 0
post image
Release Notes: AI Sigma Rules, Live Threat La...
watchers 1154
comments 0

PXA Stealer Targeting High-Value Data

Key takeaways

  1. PXA Stealer is an infostealer that primarily targets credentials, browser data, and financial information.
  2. Its methods include DLL sideloading, multi-stage archives, phishing, and legitimate files abuse.
  3. Targeted industries include education and government entities.
  4. Some variants maintain persistence through RAT components or by running alongside legitimate programs.
  5. Stolen information is monetized on underground marketplaces.
  6. Analysts can use ANY.RUN’s Interactive Sandbox to expose PXA Stealer. View analysis in ANY.RUN Sandbox

analysis in Sandbox

PXA Stealer analysis in ANY.RUN’s Interactive Sandbox

  1. Browse data on PXA Stealer in Threat Intelligence Lookup to identify and monitor its variants.

Search results in TI

Overview of PXA Stealer results in TI Lookup

What is PXA Stealer malware?

PXA Stealer is designed to harvest sensitive data through malicious software updates, attachments, and phishing links.

In 2024, a large-scale campaign driven by PXA Stealer unfolded. It was deployed as the final payload successfully stealing high-value data, including credentials and financial data via automated bot networks. Over 4,000 users were impacted by this operation, with 200,000+ passwords stolen.

Threat actors behind the malware are believed to be Vietnamese-speaking cybercriminals, based on code comments and Telegram account data linked to the attack.

The initial sideloading-based distribution through legitimate executables paired with a malicious DLL further evolved to include anti-analysis measures and decoys. The general attack methods haven’t changed. Threat actors demonstrated the ability to improve the malware, refining initial access and obfuscation methods.

Stolen data is subsequently monetized through underground marketplaces.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

PXA Stealer malware technical details

The primary functionality and feature of malware:

PXA Stealer spreads via DLL sideloading and multi-stage payloads in archived files (e.g., Ghost in the Zip campaign).

During 2025, threat actors continued to refine their initial access and evasion techniques. They started to use benign documents (like PDFs) and legitimate software as decoy for more convincing DLL execution. Such elaborate, layered attacks are harder to detect both by endpoint security tools and analysts.

PXA variants are generally not persistence-oriented. Their primary goal is to steal data in one go and exit. However, in several campaigns additional persistence was achieved by extra tools like RAT components. Persistence was also maintained as the malware stayed active alongside the legitimate program that carried the malicious DLL.

Anti-analysis methods include the abuse of legitimate files and software to distract users and analysts. Layered and nested archives, the mixing of benign and malicious objects – all this contributes to the delay of detection.

As for PXA variants that come with RATs, these often include deeper obfuscations, such as multi-layer encoding and fragmented execution stages, making the reconstruction of execution flow even more complex.

For exfiltration of stolen data, PXA uses legitimate cloud messaging platforms, most often Telegram API and controlled C2 infrastructure.

PXA Stealer victimology

A number victims of PXA Stealer are private individuals, but a large proportion are organizations, particularly educational and government organizations from Asian (e.g., South Korea) and European (e.g. Sweden, Denmark, the Netherlands) countries, as well as the US. The total range of victim’s geography includes over 60 countries.

PXA Stealer execution process

See how PXA Stealer attack unfolds in a VM: View analysis in ANY.RUN Sandbox

The attack starts with the delivery of a large archive that contains an .exe file with a malicious DLL library.

PXA Stealer in Sandbox Archived file that includes PXA Stealer as seen in ANY.RUN”s Interactive Sandbox

Upon the execution, the DLL activates and creates a script, which begins to unfold the payload. In particular, the .CMD script uses Windows’ certutil utility to decode and extract an encrypted .RAR archive embedded into a corrupted PDF file.

The next step: certutil extracts base64-coded content from the PDF and transforms it into a new archive file – Invoice.pdf (RAR-archived).

After that, WinRar’s package utility masquerading as images.png file extracts the archive using predefined parameters and password.

PXA Stealer in Sandbox 2 images.png file: the disguised WinRar’s package utility. ANY.RUN’s Sandbox

Now several dependencies for Python environment are unpacked, including a renamed legitimate Python 3.10 interpreter under the disguise of svchost.exe.

PXA Stealer in Sandbox 3 Malicious Python script hidden in images.png. ANY.RUN Sandbox

Finally, the Python script is initialized and sets a Run registry key.

PXA Stealer in Sandbox 4 Malicious Python script initialized. ANY.RUN Sandbox

Once launched, the script proceeds to conduct standard functions of a stealer for data harvesting.

PXA Stealer in Sandbox 5 PXA Stealer-associated data stealing processes. ANY.RUN Sandbox

PXA Stealer malware distribution methods

PXA Stealer is most commonly distributed through:

  • Phishing emails or messages on apps/social platforms

They contain archive attachments, inside of which there’s a legitimate file + a malicious DLL for sideloading. When a user launches the executable, the malicious DLL loads automatically.

  • Download links

Threat actors also use malicious links shared via file-sharing or cloud storage services, as this allows them to bypass email filters.

  • Files shared on corporate networks (user-initiated)

Notably, as PXA Stealer seemed to targeted government and educational institutions, in some cases it was distributed through internal messaging and storage systems.

  • Fake software updates

PXA also spreads through the delivery of legitimate software update files with a malicious DLL in a bundle.

Gathering Threat Intelligence on PXA Stealer Malware

Gain actionable insights on PXA Stealer by browsing Threat Intelligence Lookup that provides:

  • Instant identification of suspicious files, URLs, domains, and IPs linked to PXA Stealer

  • Overview of related IOCs, IOBs, IOAs to facilitate threat hunting

  • Links to live sandbox investigations of PXA Stealer for deeper analysis

  • Insights into C2 connections, exfiltration methods, and distribution techniques

  • Streamlined incident response through immediate access to verified threat intelligence

Follow this link or copy the query to browse TI Lookup:

threatName:"PXA Stealer"

Search results in TI

Overview of PXA Stealer results in TI Lookup

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

PXA Stealer remains high‑risk information‑stealing threat that abuses legitimate executables to evade detection. It exfiltrates credentials, browser data, cookies, and financial information, enabling account takeover, fraud, and further intrusions. Educational and government institutions seems to be especially endangered.

Adopt a proactive defense strategy with ANY.RUN to mitigate the business risks:

  • Analyze suspicious files, archives, and multi‑stage payload chains in sandboxing solutions such as ANY.RUN’s Interactive Sandbox
  • Track emerging PXA Stealer campaigns and strengthen detection across your environment in Threat Intelligence Lookup, a browsable collection of fresh IOCs and IOBs sourced from live investigations by over 15,000 SOC teams.

Get 50 trial request and start gathering actionable intelligence in TI Lookup. Sign up now

HAVE A LOOK AT

AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
CryptoWall screenshot
CryptoWall
cryptowall
CryptoWall is a notorious ransomware family that emerged in early 2014 and rapidly became one of the most destructive cyber threats of its time. This malware encrypts victims' files using strong AES encryption, demands ransom payments in Bitcoin, and has generated hundreds of millions of dollars for cybercriminals.
Read More
Xeno RAT screenshot
Xeno RAT
xenorat
Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.
Read More
Phishing kit screenshot
Phishing kit
tycoon evilproxy sneaky2fa
Phishing kits are pre-packaged sets of malicious tools designed to make it easy for cybercriminals to launch phishing attacks. These kits replicate legitimate websites, steal credentials, and often include backend infrastructure for managing stolen data.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Oyster screenshot
Oyster
oyster
Oyster (also seen in reporting as Broomstick or CleanUpLoader) is a Windows backdoor/loader actively used in multi-stage intrusion campaigns. Recent campaigns weaponize SEO-poisoning and malvertising to trick IT and dev users into downloading trojanized installers (PuTTY, WinSCP, Microsoft Teams, etc.), which then drop Oyster to establish a persistent foothold and load additional payloads (often leading to data theft or ransomware).
Read More