SYMBOLCOMMON_NAMEaka. SYNONYMS
py.pxa_stealer (Back to overview)

PXA Stealer

aka: PXAStealer, PXA

PXA Stealer is an information-stealing malware written in Python, identified by Cisco Talos in an active campaign attributed to a Vietnamese-speaking threat actor (2024). The stealer targets sensitive data such as credentials for online accounts, VPN and FTP clients, financial information, browser cookies, and gaming-related data. Notably, PXA Stealer is capable of decrypting browser master passwords to exfiltrate stored credentials. The campaign leverages heavily obfuscated batch scripts for delivery and execution. The actor behind this operation is linked to the Telegram channel “Mua Bán Scan MINI,” known to host credential trade and cybercrime activity. While there are connections to the CoralRaider adversary, attribution to this group remains unconfirmed. In q2 2025 PXA stealer was observed to target Italy.

References
2024-11-14Cisco TalosAlex Karkins, Chetan Raghuprasad, Joey Chen
New PXA Stealer targets government and education sectors for sensitive information
PXA Stealer

There is no Yara-Signature yet.