Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

PXA Stealer

pxastealer
154
Global rank
150 infographic chevron month
Month rank
177 infographic chevron week
Week rank
0
IOCs

PXA Stealer is an information-stealing malware that targets individuals and organizations in 60+ countries. It spreads via phishing, archives, and fake software updates. DLL sideloading, decoy documents, and obfuscation help it evade security tools. Exfiltrated data is exfiltrated and monetized through underground marketplaces.

Stealer
Type
Unknown
Origin
1 November, 2024
First seen
24 April, 2026
Last seen

How to analyze PXA Stealer with ANY.RUN

Stealer
Type
Unknown
Origin
1 November, 2024
First seen
24 April, 2026
Last seen

IOCs

Last Seen at
10 April, 2026
Malicious activity
4363463463464363463463463.exe
github
auto
hijackloader
loader
generic
python
hausbomber
phishing
discord
evasion
stealer
stealc
redline
metastealer
vidar
anti-evasion
smb
deerstealer
delphi
inno
installer
websocket
ghostsocks
proxyware
nuitka
xworm
remote
upx
pythonstealer
violetworm
worm
schoolboy
metasploit
backdoor
meterpreter
rat
gh0st
gh0stcringe
autoit
discordrat
braodo
amadey
botnet
telegram
pxastealer
arch-exec
arch-scr
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
auto
stealer
redline
meterpreter
generic
cryptowall
evasion
salatstealer
rustme
keylogger
loader
metasploit
backdoor
python
anti-evasion
rat
njrat
bladabindi
autoit
arch-exec
pxastealer
telegram
jeefo
xworm
dcrat
blankgrabber
screenshot
quasar
hijackloader
amadey
discord
lumma
exfiltration
eicar-test
susp-powershell
nanocore
pastebin
donutloader
rust
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
loader
stealer
arch-exec
rustme
keylogger
cryptowall
evasion
salatstealer
auto
redline
generic
rat
njrat
bladabindi
python
anti-evasion
autoit
telegram
pxastealer
xworm
dcrat
jeefo
eicar-test
blankgrabber
hijackloader
screenshot
amadey
discord
exfiltration
lumma
susp-powershell
phish-ml-docx
pastebin
nanocore
30 March, 2026
Malicious activity
virs.zip
auto
xworm
rat
arch-exec
loader
generic
hausbomber
stealer
stealc
arch-scr
github
evasion
phishing
nsminer
miner
anti-evasion
inno
installer
remote
delphi
python
netreactor
rustdesk
rmm-tool
telegram
pxastealer
crypto-regex
meterpreter
discord
pastebin
adware
ftp
jeefo
blankgrabber
njrat
bladabindi
clickfix
barys
screenshot
discordrat
cryptowall
ransomware
remcos
quasar
autoit
cryptolocker
formbook
phorphiex
botnet
agenttesla
phorpiex
cobaltstrike
tool
xfiles
santastealer
mirai
antivm
golang
websocket
25 March, 2026
Malicious activity
quickdocshare.com
pxastealer
23 March, 2026
Malicious activity
0c4df034-e34e-440e-8430-73719a1201c1
pxastealer
19 March, 2026
Malicious activity
Synaptics.exe
xred
backdoor
hausbomber
loader
arch-exec
github
delphi
evasion
xmrig
miner
pastebin
winring0-sys
vuln-driver
auto
redline
stealer
coinminer
autoit
dyndns
salatstealer
amadey
botnet
discord
python
quasar
nuitka
websocket
pythonstealer
ms-smartcard
chromelevator
hacktool
inject
remcos
rat
generic
arch-doc
anti-evasion
remote
rustdesk
rmm-tool
stealc
exela
screenshot
gotohttp
xworm
telegram
pxastealer
shifu
banking
smb
scan
smbscan
vidar
lumma
braodo
phishing
darkstealer
heodo
neshta
xor-url
upx
hijackloader
braincipher
ransomware
bdaejec
clickfix
cryptowall
12 March, 2026
Malicious activity
limewire.com
possible-phishing
phish-url
auto
generic
doc-url
python
telegram
stealer
rat
evasion
pxastealer
api-base64
ims-api
TRACK THEM ALL AT
Public Submissions
Last Seen at
10 April, 2026
Malicious activity
4363463463464363463463463.exe
github
auto
hijackloader
loader
generic
python
hausbomber
phishing
discord
evasion
stealer
stealc
redline
metastealer
vidar
anti-evasion
smb
deerstealer
delphi
inno
installer
websocket
ghostsocks
proxyware
nuitka
xworm
remote
upx
pythonstealer
violetworm
worm
schoolboy
metasploit
backdoor
meterpreter
rat
gh0st
gh0stcringe
autoit
discordrat
braodo
amadey
botnet
telegram
pxastealer
arch-exec
arch-scr
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
quickdocshare.com
pxastealer
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
auto
stealer
redline
meterpreter
generic
cryptowall
evasion
salatstealer
rustme
keylogger
loader
metasploit
backdoor
python
anti-evasion
rat
njrat
bladabindi
autoit
arch-exec
pxastealer
telegram
jeefo
xworm
dcrat
blankgrabber
screenshot
quasar
hijackloader
amadey
discord
lumma
exfiltration
eicar-test
susp-powershell
nanocore
pastebin
donutloader
rust
2 April, 2026
Malicious activity
payload (3).ps1
github
wannacry
ransomware
loader
stealer
arch-exec
rustme
keylogger
cryptowall
evasion
salatstealer
auto
redline
generic
rat
njrat
bladabindi
python
anti-evasion
autoit
telegram
pxastealer
xworm
dcrat
jeefo
eicar-test
blankgrabber
hijackloader
screenshot
amadey
discord
exfiltration
lumma
susp-powershell
phish-ml-docx
pastebin
nanocore
30 March, 2026
Malicious activity
virs.zip
auto
xworm
rat
arch-exec
loader
generic
hausbomber
stealer
stealc
arch-scr
github
evasion
phishing
nsminer
miner
anti-evasion
inno
installer
remote
delphi
python
netreactor
rustdesk
rmm-tool
telegram
pxastealer
crypto-regex
meterpreter
discord
pastebin
adware
ftp
jeefo
blankgrabber
njrat
bladabindi
clickfix
barys
screenshot
discordrat
cryptowall
ransomware
remcos
quasar
autoit
cryptolocker
formbook
phorphiex
botnet
agenttesla
phorpiex
cobaltstrike
tool
xfiles
santastealer
mirai
antivm
golang
websocket
25 March, 2026
Malicious activity
quickdocshare.com
pxastealer
23 March, 2026
Malicious activity
0c4df034-e34e-440e-8430-73719a1201c1
pxastealer
19 March, 2026
Malicious activity
Synaptics.exe
xred
backdoor
hausbomber
loader
arch-exec
github
delphi
evasion
xmrig
miner
pastebin
winring0-sys
vuln-driver
auto
redline
stealer
coinminer
autoit
dyndns
salatstealer
amadey
botnet
discord
python
quasar
nuitka
websocket
pythonstealer
ms-smartcard
chromelevator
hacktool
inject
remcos
rat
generic
arch-doc
anti-evasion
remote
rustdesk
rmm-tool
stealc
exela
screenshot
gotohttp
xworm
telegram
pxastealer
shifu
banking
smb
scan
smbscan
vidar
lumma
braodo
phishing
darkstealer
heodo
neshta
xor-url
upx
hijackloader
braincipher
ransomware
bdaejec
clickfix
cryptowall
12 March, 2026
Malicious activity
limewire.com
possible-phishing
phish-url
auto
generic
doc-url
python
telegram
stealer
rat
evasion
pxastealer
api-base64
ims-api
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
Top 5 Phishing-Driven Social Engineering Atta...
watchers 70
comments 0
post image
ANY.RUN Turns 10: Special Offers for Stronger...
watchers 1675
comments 0
post image
LATAM Under Siege: Agent Tesla's 18-Month Cre...
watchers 5325
comments 0

Contents

  • PXA Stealer Targeting High-Value Data
  • Key takeaways
  • What is PXA Stealer malware?
  • PXA Stealer malware technical details
  • PXA Stealer victimology
  • PXA Stealer execution process
  • PXA Stealer malware distribution methods
  • Gathering Threat Intelligence on PXA Stealer Malware
  • Conclusion

Recent blog posts

post image
Top 5 Phishing-Driven Social Engineering Atta...
watchers 70
comments 0
post image
ANY.RUN Turns 10: Special Offers for Stronger...
watchers 1675
comments 0
post image
LATAM Under Siege: Agent Tesla's 18-Month Cre...
watchers 5325
comments 0

PXA Stealer Targeting High-Value Data

Key takeaways

  1. PXA Stealer is an infostealer that primarily targets credentials, browser data, and financial information.
  2. Its methods include DLL sideloading, multi-stage archives, phishing, and legitimate files abuse.
  3. Targeted industries include education and government entities.
  4. Some variants maintain persistence through RAT components or by running alongside legitimate programs.
  5. Stolen information is monetized on underground marketplaces.
  6. Analysts can use ANY.RUN’s Interactive Sandbox to expose PXA Stealer. View analysis in ANY.RUN Sandbox

analysis in Sandbox

PXA Stealer analysis in ANY.RUN’s Interactive Sandbox

  1. Browse data on PXA Stealer in Threat Intelligence Lookup to identify and monitor its variants.

Search results in TI

Overview of PXA Stealer results in TI Lookup

What is PXA Stealer malware?

PXA Stealer is designed to harvest sensitive data through malicious software updates, attachments, and phishing links.

In 2024, a large-scale campaign driven by PXA Stealer unfolded. It was deployed as the final payload successfully stealing high-value data, including credentials and financial data via automated bot networks. Over 4,000 users were impacted by this operation, with 200,000+ passwords stolen.

Threat actors behind the malware are believed to be Vietnamese-speaking cybercriminals, based on code comments and Telegram account data linked to the attack.

The initial sideloading-based distribution through legitimate executables paired with a malicious DLL further evolved to include anti-analysis measures and decoys. The general attack methods haven’t changed. Threat actors demonstrated the ability to improve the malware, refining initial access and obfuscation methods.

Stolen data is subsequently monetized through underground marketplaces.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

PXA Stealer malware technical details

The primary functionality and feature of malware:

PXA Stealer spreads via DLL sideloading and multi-stage payloads in archived files (e.g., Ghost in the Zip campaign).

During 2025, threat actors continued to refine their initial access and evasion techniques. They started to use benign documents (like PDFs) and legitimate software as decoy for more convincing DLL execution. Such elaborate, layered attacks are harder to detect both by endpoint security tools and analysts.

PXA variants are generally not persistence-oriented. Their primary goal is to steal data in one go and exit. However, in several campaigns additional persistence was achieved by extra tools like RAT components. Persistence was also maintained as the malware stayed active alongside the legitimate program that carried the malicious DLL.

Anti-analysis methods include the abuse of legitimate files and software to distract users and analysts. Layered and nested archives, the mixing of benign and malicious objects – all this contributes to the delay of detection.

As for PXA variants that come with RATs, these often include deeper obfuscations, such as multi-layer encoding and fragmented execution stages, making the reconstruction of execution flow even more complex.

For exfiltration of stolen data, PXA uses legitimate cloud messaging platforms, most often Telegram API and controlled C2 infrastructure.

PXA Stealer victimology

A number victims of PXA Stealer are private individuals, but a large proportion are organizations, particularly educational and government organizations from Asian (e.g., South Korea) and European (e.g. Sweden, Denmark, the Netherlands) countries, as well as the US. The total range of victim’s geography includes over 60 countries.

PXA Stealer execution process

See how PXA Stealer attack unfolds in a VM: View analysis in ANY.RUN Sandbox

The attack starts with the delivery of a large archive that contains an .exe file with a malicious DLL library.

PXA Stealer in Sandbox Archived file that includes PXA Stealer as seen in ANY.RUN”s Interactive Sandbox

Upon the execution, the DLL activates and creates a script, which begins to unfold the payload. In particular, the .CMD script uses Windows’ certutil utility to decode and extract an encrypted .RAR archive embedded into a corrupted PDF file.

The next step: certutil extracts base64-coded content from the PDF and transforms it into a new archive file – Invoice.pdf (RAR-archived).

After that, WinRar’s package utility masquerading as images.png file extracts the archive using predefined parameters and password.

PXA Stealer in Sandbox 2 images.png file: the disguised WinRar’s package utility. ANY.RUN’s Sandbox

Now several dependencies for Python environment are unpacked, including a renamed legitimate Python 3.10 interpreter under the disguise of svchost.exe.

PXA Stealer in Sandbox 3 Malicious Python script hidden in images.png. ANY.RUN Sandbox

Finally, the Python script is initialized and sets a Run registry key.

PXA Stealer in Sandbox 4 Malicious Python script initialized. ANY.RUN Sandbox

Once launched, the script proceeds to conduct standard functions of a stealer for data harvesting.

PXA Stealer in Sandbox 5 PXA Stealer-associated data stealing processes. ANY.RUN Sandbox

PXA Stealer malware distribution methods

PXA Stealer is most commonly distributed through:

  • Phishing emails or messages on apps/social platforms

They contain archive attachments, inside of which there’s a legitimate file + a malicious DLL for sideloading. When a user launches the executable, the malicious DLL loads automatically.

  • Download links

Threat actors also use malicious links shared via file-sharing or cloud storage services, as this allows them to bypass email filters.

  • Files shared on corporate networks (user-initiated)

Notably, as PXA Stealer seemed to targeted government and educational institutions, in some cases it was distributed through internal messaging and storage systems.

  • Fake software updates

PXA also spreads through the delivery of legitimate software update files with a malicious DLL in a bundle.

Gathering Threat Intelligence on PXA Stealer Malware

Gain actionable insights on PXA Stealer by browsing Threat Intelligence Lookup that provides:

  • Instant identification of suspicious files, URLs, domains, and IPs linked to PXA Stealer

  • Overview of related IOCs, IOBs, IOAs to facilitate threat hunting

  • Links to live sandbox investigations of PXA Stealer for deeper analysis

  • Insights into C2 connections, exfiltration methods, and distribution techniques

  • Streamlined incident response through immediate access to verified threat intelligence

Follow this link or copy the query to browse TI Lookup:

threatName:"PXA Stealer"

Search results in TI

Overview of PXA Stealer results in TI Lookup

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

PXA Stealer remains high‑risk information‑stealing threat that abuses legitimate executables to evade detection. It exfiltrates credentials, browser data, cookies, and financial information, enabling account takeover, fraud, and further intrusions. Educational and government institutions seems to be especially endangered.

Adopt a proactive defense strategy with ANY.RUN to mitigate the business risks:

  • Analyze suspicious files, archives, and multi‑stage payload chains in sandboxing solutions such as ANY.RUN’s Interactive Sandbox
  • Track emerging PXA Stealer campaigns and strengthen detection across your environment in Threat Intelligence Lookup, a browsable collection of fresh IOCs and IOBs sourced from live investigations by over 15,000 SOC teams.

Get 50 trial request and start gathering actionable intelligence in TI Lookup. Sign up now

HAVE A LOOK AT

GREENBLOOD screenshot
GREENBLOOD
greenblood
GREENBLOOD is a Go-based ransomware that uses concurrent ChaCha8 encryption to lock entire Windows environments in under a minute while systematically destroying backups, disabling defenses, and threatening double extortion through a Tor-based data leak site.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Moonrise screenshot
Moonrise
moonrise
Moonrise RAT is a newly discovered Go-based remote access trojan with zero detections at launch, featuring credential theft, keylogging, webcam access, clipboard hijacking, and UAC bypass.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Sneaky 2FA screenshot
Sneaky 2FA
sneaky2fa
Sneaky 2FA is an Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts. Distributed as a Phishing-as-a-Service (PhaaS) through a Telegram bot, this malware bypasses two-factor authentication (2FA) to steal credentials and session cookies, posing a significant threat to individuals and organizations.
Read More