Global Surge in PXA Stealer Attacks Targets Financial Institutions, Exploiting Phishing and Telegram-Based Data Theft in Early 2026

CyberDefender 15 mins0

In the first quarter of 2026, cybersecurity teams observed a noticeable increase in activity related to a malware family known as PXA Stealer. This rise comes shortly after the disruption of major infostealers like Lumma, Rhadamanthys, and RedLine in 2025, which appears to have created an opportunity for newer threats to expand. Based on threat intelligence insights, PXA Stealer campaigns have grown by nearly 8–10%, particularly targeting financial institutions across multiple regions.

Unlike earlier campaigns, the latest wave demonstrates improved flexibility in attack delivery. Threat actors are no longer relying on a single lure but are experimenting with multiple formats such as resumes, tax documents, design software installers, and legal paperwork. This shift suggests a broader targeting strategy designed to increase success rates across different victim profiles.

Kill Chain of investigated PXA Stealer incident (Source : Cyberproof)

This report provides a complete technical walkthrough of a real-world attack scenario associated with a bot cluster identified as “Verymuchxbot,” covering each stage from initial compromise to data exfiltration. The goal is to help defenders understand how this threat operates and how to detect similar activity in their environments.

Threat Overview

PXA Stealer is categorized as an information-stealing malware that focuses on extracting sensitive data such as browser credentials, saved passwords, and cryptocurrency wallet information. Once collected, this data is typically transmitted through messaging platforms like Telegram, allowing attackers to quickly monetize stolen information.

What makes this malware particularly concerning is its modular design and reliance on legitimate system tools, which makes detection more difficult. It blends malicious activity with normal system operations, reducing the chances of triggering traditional security alerts.

Attack Chain Analysis

Initial Access: Phishing and Malicious Downloads

The attack begins with a phishing email that contains a link to a malicious website. In the investigated case, the victim was directed to download a ZIP archive named:

Pumaproject.zip
Source: downloadtheproject[.]xyz

This file appears harmless but is crafted to trick users into executing a disguised executable.

Execution: Payload Activation

Inside the archive, the victim finds a file named:

Document.docx.exe

Although it looks like a Word document, it is actually an executable file. Once launched, it initiates the next stage of the attack by unpacking:

  • A portable Python interpreter
  • Supporting Python libraries
  • Malicious scripts

At this stage, a command script (inter.cmd) is executed from a hidden directory, continuing the infection chain.

Deception and File Staging

To avoid suspicion, the malware displays a legitimate document while executing malicious actions in the background. Meanwhile, it creates a hidden folder named:

“Dots”

Inside this directory, several files are staged to support further execution.

Living-off-the-Land Techniques

The attackers rely heavily on built-in Windows utilities and renamed legitimate tools:

  • Certutil.exe is used to decode hidden data into an archive disguised as a PDF file (Shodan.pdf)
  • A legitimate WinRAR executable is renamed to picture.png and used to extract the archive

This approach allows attackers to bypass traditional defenses by using trusted binaries.

Payload Deployment

The extracted archive contains:

  • A portable Python runtime
  • Multiple libraries
  • An obfuscated Python script

The Python interpreter is renamed to: svchost.exe

This is a well-known Windows process name, making it less suspicious during monitoring.

The files are deployed in: C:\Users\Public\WindowsSecure

The archive is protected with the password: shodan2201

Command Execution and Bot Identification

The renamed interpreter (svchost.exe) executes a heavily obfuscated script. During execution, references to bot identifiers such as:

  • Verymuchxbot
  • Ken1

are observed, indicating campaign tracking by the threat actors.

Credential Harvesting and Browser Injection

Once active, the malware injects itself into browser processes to:

  • Capture login credentials
  • Monitor user activity
  • Intercept sensitive data during specific website visits

It also leverages keylogging techniques to record user input.

Data Exfiltration

After collecting the data, the malware establishes outbound communication over TCP port 443 and sends stolen information through Telegram channels (t.me). This method allows attackers to exfiltrate data quickly while blending into normal encrypted traffic.

Persistence Mechanism

To maintain access, the malware modifies the Windows Registry by adding a persistence entry, ensuring it executes automatically after system reboot.

Indicators of Compromise (IOCs)

Files and Hashes

  • picture.png
    SHA256: 23b122deea347dbe2407c1542c1cc6caaafca537eb5d1950a4ed7c8a69395dbb
  • Document.docx
    SHA256: d30a4d0249b5417af02a4e7ffb5b456efd8cd5eb8da6532329ae071f643e5079
  • c2r64.dll
    SHA256: 10955134b4e8dc41b2a116ab41d17b0ef0985bea99bdc5f0e5a11a07728905ec
  • Pumaproject.zip
    SHA256: 100a7674ece92dae0dc0bfde15dfb524939a8dd0c295ff2e232895a07e21342f
  • Shodan.pdf
    SHA256: 8de1c5a66deab8bd4f59b2801a66f503f087345ccb0598c5ca8185f1edb2092b

Additional Hash Indicators

e1f6c80aae41feed9acfc62f1e1d83077ce6fda4bed56ffb448fe132a1c97afe
2255735d78b9ca0a20cbd2834876f4d1
7d68cfe4d7a83608490e6c3c8291ec9b
79471f93e15e04e6b7879a09de79d35b
0a5b50ca9beb5b740fdae5d783d5616d
61a163ae3cac1255c852a37c675edd5d
696c710f62e3a7f7c618c4733d67cc13
47b4c3dd3bc58037de31f3ee218d4ea1
6b6ee7e492e4c573381393dedbfec94d
386981b3cd77df33b60cd9b9d93a7812
edee9e57699eea7371234acd40a34cac
a534676c0dcf8d63eb1f7cbcd0bd5f35
0f1939d88e38cc825dfe5c50926344d6
6f5a040c83d490e30ea9b242c962d179
57ee3e3e7b106727b77ce98bf80c0e1b
3324c1c827428a212e2c9898d082037e
4b14ef9a1a69b3d39a8dda04e1d119bf
0c19f07cec233481e8efcf722f2b29fd
5991a68b994e76d48212b098ac599560
fd50bc23272f3704762218ba43ce068b
00d68afd8a75ce8c194ab3bb4c64c152
d240282856829133ec8f5ddd712fb49c
88528f1c4df15e1d4c92d71fe1223761
5d7d338c4cdd706a01de1ec32a08c5f4
690dcef7d7e265096010b276649fb529
fd5fd153bded23ffac1a4dd2bbb38c78
d85b44735555d96c6c763c4d466e074f

Network Indicators

  • 146[.]112.56.140
  • 151[.]243.109.125

Malicious URLs

Detection and Mitigation Guidance

Security teams should pay close attention to suspicious email attachments and unusual process executions. Files that appear as documents but behave like executables are a major red flag. Monitoring tools should also track the use of utilities like certutil and unexpected archive extraction behavior.

Outbound traffic to uncommon domains such as .xyz should be reviewed carefully. Additionally, connections to messaging platforms like Telegram from non-standard processes may indicate data exfiltration attempts.

Behavioral detection is critical here. Instead of relying only on signatures, organizations should focus on identifying unusual patterns such as hidden directory creation, renamed executables, and process injection attempts.

Threat Hunting Insight

A useful hunting approach involves searching for processes that use:

  • certutil -decode combined with .pdf files
  • Execution of renamed binaries like svchost.exe from non-system directories
  • Activity involving temporary folders or Outlook cache locations

Threat hunters can also leverage VirusTotal queries focusing on behavior patterns like decoding operations and known bot identifiers.

Our Opinion

The emergence of PXA Stealer as a dominant threat following the takedown of earlier infostealers highlights a recurring pattern in the cybersecurity landscape. Whenever major malware families are disrupted, the gap is quickly filled by new or previously less prominent threats. This cycle reflects not only the resilience of cybercriminal ecosystems but also their ability to adapt faster than defensive strategies evolve.

What stands out in this campaign is not the sophistication of individual techniques but the effectiveness of combining simple methods in a layered way. The attackers are not relying on zero-day vulnerabilities or highly advanced exploits. Instead, they are using trusted system tools, social engineering, and basic obfuscation to achieve their goals. This makes the attack more practical and scalable, especially when targeting large groups such as financial institutions.

Another important observation is the shift toward flexibility in phishing lures. By using different themes like job applications, tax documents, and software installers, attackers significantly increase their chances of success. This suggests that modern campaigns are becoming more user-centric, adapting their approach based on what is likely to attract attention rather than sticking to a fixed template.

The use of Telegram for data exfiltration also reflects a broader trend where attackers prefer platforms that are encrypted, widely used, and difficult to block without affecting legitimate business operations. This creates a challenge for defenders, as blocking such services outright is often not feasible.

From a defensive perspective, this case reinforces the importance of behavior-based detection over traditional signature-based methods. Organizations that rely only on known indicators may struggle to detect slightly modified versions of the same attack. Instead, focusing on patterns such as unusual process execution, hidden file activity, and unexpected network communication provides a more reliable defense.

In conclusion, the PXA Stealer campaign is a reminder that effective cyberattacks do not always require cutting-edge techniques. Often, it is the clever use of existing tools and human psychology that makes these campaigns successful. Organizations must adapt by improving visibility, enhancing user awareness, and investing in proactive threat hunting to stay ahead of such evolving threats.

CyberDefender