Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Executive Summary

Beazley Security, in collaboration with SentinelLabs, has uncovered a sophisticated, global cybercrime campaign leveraging a rapidly evolving variant of the Python-based infostealer known as PXA Stealer. This operation highlights a marked escalation in threat actor capabilities, showcasing advanced sideloading techniques, layered evasion strategies, and a hardened command-and-control (C2) infrastructure designed to impede detection, frustrate security analysts, and delay forensic analysis.

Over the course of this investigation, more than 4,000 unique victims across 62 countries have been identified, with the most significant clusters located in South Korea, the United States, the Netherlands, Hungary, and Austria. The scope of data exfiltrated is extensive: over 200,000 unique passwords, hundreds of credit card records, and more than 4 million browser cookies have been harvested, providing cybercriminals with immediate access to victims’ digital identities and financial assets.

Beazley Security's Managed Detection & Response (MDR) team observed a significant evolution in the campaign’s tradecraft throughout 2025, particularly in its July wave, which introduced additional obfuscation layers, improved persistence mechanisms, and anti-analysis techniques using decoy documents and malformed archives. These refinements point to a maturing threat actor who is continuously investing in capability development, likely funded by the proceeds of stolen data.

This campaign demonstrates a strategic shift in modern cybercrime. Rather than relying solely on malware, these actors exploit legitimate software (e.g., Haihaisoft PDF Reader, Microsoft Word 2013), well-known platforms (Telegram, Cloudflare Workers, Dropbox), and automation to reduce overhead, extend reach, and monetize stolen data at scale. Notably, these tactics significantly hinder traditional detection mechanisms by blending malicious behavior with seemingly innocuous activity.

The threat actors behind this campaign are tied to Vietnamese-speaking cybercriminal circles and operate a subscription-based underground ecosystem, built around Telegram bot automation, for reselling and reusing exfiltrated data. This infrastructure enables rapid monetization and supports a broader criminal economy including credential stuffing, cryptocurrency theft, financial fraud, and enterprise intrusion.

The final payload, PXA Stealer, is highly modular and capable of exfiltrating data from a broad range of browsers, financial applications, VPNs, cloud tools, cryptocurrency wallets, and even encrypted storage. In some variants, it includes DLL injection capabilities targeting browser encryption keys, bypassing controls designed to hamper information stealers and expanding its reach into protected credential stores.

Strategic Implications:

• Global reach and rapid proliferation make PXA Stealer a top-tier threat to both individuals and enterprises. ‍
• Low barrier to entry due to turnkey resale via Telegram bots, enables less sophisticated actors to access powerful tooling access stolen credentials.‍
• Weaponization of trusted platforms like Telegram and Cloudflare complicates attribution and takedown efforts. ‍
• High-value data collection positions this threat to support secondary intrusions, ransomware deployment, and business email compromise (BEC). Read our eBook on this topic.

This discovery underscores the critical need for organizations to adopt advanced threat detection, behavioral monitoring, and proactive threat hunting. Traditional perimeter defenses and signature-based antivirus solutions are ill-equipped to combat such dynamic, infrastructure-leveraging attacks.

Beazley Security commends SentinelLabs for their invaluable collaboration and reverse engineering contributions, which were instrumental in dissecting this evolving threat and providing actionable intelligence to the wider cyber security community.

‍

To read the full discovery, head over to our research blog.