A Vietnamese threat actor has deployed a sophisticated Python-based malware called PXA Stealer, targeting government and educational institutions across Europe and Asia.
Key Features of PXA Stealer:
– Steals credentials from various online accounts, VPN, and FTP clients
– Captures financial information and browser cookies
– Decrypts browser master passwords
– Specifically targets Facebook business and advertisement accounts
Attribution and Connections:
– Vietnamese origin confirmed through code comments and Telegram account “Lone None”
– Possible links to threat actor “CoralRaider”
– Active in Vietnamese Telegram groups selling compromised credentials and tools
Attack Methodology:
1. Phishing emails containing ZIP files
2. Rust-based loader deployment
3. Execution of Windows batch scripts
4. Deployment of anti-AV payload
5. Installation of PXA Stealer
Related Developments:
– IBM X-Force identified StrelaStealer campaigns targeting European countries
– New stealer variants emerging: Amnesia Stealer and Glove Stealer
– Continuous evolution of existing malware families like RECORDSTEALER and Rhadamanthys
This threat represents a growing trend in sophisticated information-stealing malware, particularly from Vietnamese threat actors targeting business and advertising accounts.