Cybercriminals are constantly evolving, and one of the latest trends shows how professional platforms can be weaponized. A recent campaign involving PXA Stealer malware highlights how attackers are now using LinkedIn as a primary entry point. Instead of suspicious emails or shady websites, victims are approached through what appears to be legitimate job opportunities.
This method works because it blends perfectly into the normal behavior of job seekers and professionals. When someone receives a message about a new role, especially from a known contact or recruiter, their guard is naturally lower. That’s exactly what attackers are taking advantage of.
What makes this campaign even more concerning is its ability to spread quickly. Once a LinkedIn account is compromised, attackers reuse it to target that user’s entire network. This creates a chain reaction, allowing the malware to propagate at scale.
Threat Overview
This campaign revolves around a multi-stage information stealer known as PXA Stealer. Its main objective is to silently collect sensitive data from infected systems.
The malware is designed to extract:
- Browser credentials and saved sessions
- Cryptocurrency wallet data
- Two-factor authentication (2FA) tokens
- Email account credentials
- Hardware wallet artifacts
Unlike basic malware, this one operates in multiple layers and uses advanced evasion techniques. It avoids detection by using trusted platforms and executing most of its operations in memory, leaving very little trace behind.
Attack Chain Breakdown
1. Initial Access via LinkedIn
The attack begins with a direct message on LinkedIn. The message typically appears to come from a recruiter offering a part-time or remote job. In many reported cases, the company name used was Apex Logistics Group.
Victims are encouraged to fill out a job application form, which leads them to a Google Form:
- hxxps://forms[.]gle/JjAtpy26Tcokow2Q7
This step is important because Google domains are generally trusted and rarely blocked by security systems.
2. Payload Delivery Through Trusted Platforms
Inside the Google Form, users are given a link to view job details:
- hxxps://tr.ee/PRtnsf
This shortened URL redirects to a Dropbox-hosted ZIP file:
- “Position Details and Compensation Policy (2).zip”
At the time of analysis, this file showed zero detections on VirusTotal, making it appear harmless.
3. Archive Contents and Execution
Once downloaded and extracted, the archive contains:
- A fake Microsoft Word executable (renamed winword.exe)
- Malicious DLL: AppvIsvSubsystems64.dll
- Batch scripts (en.cmd / en.pip)
- Hidden folder “__” with additional payloads
When the user opens the fake Word file, it triggers DLL sideloading, loading the malicious DLL instead of the legitimate one.
A key trick here is binary padding. The malicious DLL is inflated to nearly 100 MB, allowing it to bypass scanners that skip large files.
4. Persistence and Payload Deployment
The DLL executes a batch script that:
- Extracts a hidden payload disguised as “Invoice.pdf”
- Places files in:
- %LOCALAPPDATA%\Microsoft\WindowsApps
- Creates a scheduled task mimicking a Microsoft Edge update
This ensures the malware survives system reboots while blending into normal activity.
5. Multi-Layer Obfuscation
The final payload is heavily encoded using multiple techniques:
- XOR encryption
- Base64 encoding
- bzip2 compression
- zlib compression
The payload is executed directly in memory using Python’s exec() function. This means:
- No files are written to disk
- Traditional forensic tools struggle to detect it
6. Command and Control (C2)
Instead of hardcoding a server, the malware retrieves its C2 infrastructure dynamically from Telegram:
- hxxps://t[.]me/erik22sucbot
It then builds a URL:
- hxxp://151.243.109.125/support/links/sunset[.]txt
Interestingly, this IP redirects to a Chinese government site, likely as a deception tactic.
The final payload is downloaded and executed, continuing the attack chain.
7. Data Exfiltration
Sensitive data is sent to:
- 15.235.156[.]143:56001
Communication is encrypted using TLS, making it difficult to inspect.
The malware targets a wide range of data, including:
- Browser data from Chrome, Edge, Brave, and others
- Crypto wallets like MetaMask, Trust Wallet, and Phantom
- Desktop wallets such as Bitcoin-Qt and Electrum
- Email clients like Foxmail
- Telegram session data
History and Evolution of PXA Stealer
PXA Stealer was first identified in late 2024 and has evolved rapidly since then.
Originally, it was a simple Python-based stealer. Over time, it has grown into a sophisticated malware ecosystem with features like:
- DLL sideloading
- In-memory execution
- Multi-layer encryption
- Dynamic C2 infrastructure
The malware is linked to a Vietnam-based threat group. Reports suggest that over 94,000 systems were infected globally, with stolen data being sold on underground marketplaces.
MITRE ATT&CK Mapping
The campaign aligns with several known MITRE techniques:
- T1059.006 – Python execution
- T1574.002 – DLL sideloading
- T1027 – Obfuscation
- T1036.005 – Masquerading
- T1053.005 – Scheduled task persistence
- T1102 – Use of cloud services
This consistency across campaigns confirms attribution to the same malware family.
Impact on Organizations
The damage caused by PXA Stealer can happen within minutes:
- Credentials are stolen instantly
- Session cookies allow attackers to bypass MFA
- Email access enables business email compromise
One of the most dangerous aspects is LinkedIn account takeover. Once compromised, the account is used to send malicious messages to others, expanding the attack.
Organizations may face:
- Data breach notifications (GDPR, DPDPA)
- Financial losses
- Reputation damage
- Long-term unauthorized access
Why This Attack Is So Effective
This campaign succeeds because it abuses trust at every level:
- LinkedIn → trusted professional platform
- Google Forms → legitimate infrastructure
- Dropbox → reliable file hosting
- Microsoft binaries → trusted execution
Each step looks normal, making detection extremely difficult.
Conclusion
PXA Stealer represents a new wave of cyber threats that rely less on technical exploits and more on social engineering combined with stealthy execution techniques.
The campaign is still active and spreading across multiple countries, including India, Bangladesh, the Netherlands, Sweden, and the United States.
Professionals, recruiters, and job seekers should remain cautious when interacting with unsolicited job offers—even on trusted platforms.
Our Opinion on This Case
From our perspective, this campaign marks a clear shift in how attackers approach social engineering. Instead of relying on traditional phishing emails, they are embedding themselves directly into professional ecosystems like LinkedIn. This makes the attack far more believable and significantly harder to detect.
What stands out most is the attacker’s understanding of human behavior. Job seekers are naturally inclined to respond quickly to opportunities, especially remote or part-time roles. By combining this psychological trigger with trusted platforms like Google and Dropbox, the attackers have created a near-perfect delivery mechanism.
Technically, the use of DLL sideloading, oversized binaries, and in-memory execution shows a high level of maturity. These are not random tactics but carefully selected methods designed to bypass modern security tools.
In our view, this campaign highlights a growing gap between user trust and security awareness. Even well-informed professionals can fall victim when the attack is this convincing.
Organizations should treat social platforms as part of their attack surface and invest in user education alongside technical defenses. Without that balance, campaigns like this will continue to succeed and scale rapidly.
