A group of attackers with ties to the Vietnamese cybercrime underground ecosystem are running a significant campaign across many different countries that is delivering the PXA Stealer malware and uses novel sideloading and anti-analysis techniques to slip past defensive measures. The campaign has targeted victims in more than 60 countries and the attackers have harvested […]
A group of attackers with ties to the Vietnamese cybercrime underground ecosystem are running a significant campaign across many different countries that is delivering the PXA Stealer malware and uses novel sideloading and anti-analysis techniques to slip past defensive measures.
The campaign has targeted victims in more than 60 countries and the attackers have harvested data from more than 4,000 victims so far, according to research from SentinelLABS and Neazley Security. This specific campaign dates back to last fall, and researchers have observed the attackers using legitimate signed software as a delivery mechanism for the PXA Stealer infection chain, which now includes a Python-based payload rather than a Windows executable.
“Attacks leveraging the updated Python-based payloads are initiated in the same manner: delivery of a large archive containing the signed copy of Haihaisoft PDF Reader, alongside the malicious DLL to be loaded. Upon execution, the malicious DLL creates a .CMD script Evidence.cmd in the current directory, which orchestrates all subsequent steps in the attack chain. The .CMD script utilizes certutil to extract an encrypted RAR archive embedded inside a malformed PDF,” the researchers wrote.
“This command leads the Edge browser to open the PDF file, though this results in an error message as the file is not a valid PDF. Subsequently, the packaged WinRAR utility–masquerading as images.png–extracts an embedded RAR archive using decoded command lines. This process took several minutes and caused sandbox analysis to time out in several cases, which led to false negative results.”
"It is worth noting that there are a number of other Vietnamese-language artifacts present in these stages of the malware."
PXA Stealer has been in circulation since at least late 2024 when Cisco Talos researchers identified a campaign similar to the newer one. The more recent campaign also includes updated C2 infrastructure and automated use of Telegram channels. Like other infostealers, PXA Stealer is designed to find and exfiltrate sensitive data such as crypto wallets, financial app credentials, browser data, and more. The data often is directly exfiltrated to Telegram channels operated by the attackers and then sold through cybercrime platforms.
The researchers found artifacts connecting this campaign to a Vietnamese threat actor.
“The Telegram ChatID associated with the infostealer component of this attack is “@Lonenone.” The “Lonenone” theme is also present in the Cloudflare Worker hostname lp2tpju9yrz2fklj[.]lone-none-1807[.]workers[.]dev. The profile display name contains an emoji of the Vietnam flag,” the researchers said.
“This Telegram ChatID/Account is associated with the same threat actor using PXA Stealer as previously described by Cisco Talos. It is worth noting that there are a number of other Vietnamese-language artifacts present in these stages of the malware. For example, the aforementioned Telegram BOT IDs show ‘Duc Anh’…aka “đức anh” as display names, which loosely translates to “brother”.”
The victims of this campaign are located around the world, but the most-targeted countries include North Korea, the United States, and the Netherlands.
“The July 2025 attack chain in particular illustrates a highly tailored approach engineered to bypass traditional antivirus solutions, delay execution in sandboxes, and mislead SOC analysts who review process trees or EDR data by using byzantine delivery and installation methods,” the researchers said.
Note: Cisco and Duo are no longer affiliated with Decipher. All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.
