PXA Stealer

During a wave of attacks occurring in April 2025, users were phished or otherwise lured into downloading a compressed archive... In July 2025, the large archive attached to the phishing lure contained...

Initial Access (TA0001) Phishing: Spearphishing Link (T1566.002) LinkedIn DM with job lure linking to Google Form and Dropbox-hosted payload

In October 2025 and December 2025... established persistence via registry Run keys or scheduled tasks... CrystalPDF.exe establishes persistence via scheduled tasks.

Persistence (TA0003) Scheduled Task/Job: Scheduled Task (T1053.005) Scheduled task created for persistence across reboots

These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation... Execution of various commands and scripts via osascript and sh.

Upon execution, the malicious DLL creates a .CMD script Evidence.cmd in the current directory, which orchestrates all subsequent steps in the attack chain... The sideloaded DLL then launches a hidden instance of Command Prompt and begins a multi-stage chain of activity.

This extracts several Python dependencies, including a legitimate Python 3.10 interpreter renamed svchost.exe and a malicious Python script named Photos... The Python interpreter is renamed to svchost.exe and launches a heavily obfuscated Python script again disguised as images.png.

Execution (TA0002) Shared Modules (T1129) Malicious update.dll (Python script) loaded to execute next-stage payload

Execution (TA0002) User Execution: Malicious File (T1204.002) The victim manually executes the disguised WinWord.exe from the downloaded ZIP.

In October 2025 and December 2025... established persistence via registry Run keys or scheduled tasks... CrystalPDF.exe establishes persistence via scheduled tasks.

Persistence (TA0003) Scheduled Task/Job: Scheduled Task (T1053.005) Scheduled task created for persistence across reboots

This component of the attack is responsible for establishing persistence on the target host via the Windows Registry... This step sets a Registry Run key to ensure the payload will run each time the computer starts.

In October 2025 and December 2025... established persistence via registry Run keys or scheduled tasks... CrystalPDF.exe establishes persistence via scheduled tasks.

Persistence (TA0003) Scheduled Task/Job: Scheduled Task (T1053.005) Scheduled task created for persistence across reboots

The infostealer will also attempt to inject a DLL into running instances of browsers such as Chrome, targeting Chrome’s App-Bound Encryption Key to defeat the internal encryption schemes within Chrome.

This component of the attack is responsible for establishing persistence on the target host via the Windows Registry... This step sets a Registry Run key to ensure the payload will run each time the computer starts.

The final payload is an updated version of PXA Stealer... The Python interpreter is renamed to svchost.exe and launches a heavily obfuscated Python script again disguised as images.png... Once downloaded, the obfuscated Python code is decoded and executed.

Defense Evasion (TA0005) Obfuscated Files or Information: Binary Padding (T1027.001) DLL inflated to ~100 MB to bypass file size thresholds in automated scanners

The Microsoft Word 2013 binary is renamed to appear to the user as a Word document... a legitimate WinRar executable also hosted in the folder renamed images.png... a legitimate Python 3.10 interpreter renamed svchost.exe... files with familiar extensions, such as PNG and PDF, to conceal embedded WinRAR executables and ZIP archives.

Defense Evasion (TA0005) Masquerading: Match Legitimate Name or Location (T1036.005) Python executable renamed to nsedge.exe; files placed in a legitimate-looking Edge directory

The infostealer will also attempt to inject a DLL into running instances of browsers such as Chrome, targeting Chrome’s App-Bound Encryption Key to defeat the internal encryption schemes within Chrome.

Defense Evasion (TA0005) Indicator Removal: File Deletion (T1070.004) The archive and extraction utility deleted post-execution to reduce forensic artifacts.

To evade detection, we observed the use of... signed and living off the land binaries.

The .CMD script utilizes certutil to extract an encrypted RAR archive embedded inside a malformed PDF... Next, like the previous activity, certutil is used to decode a file... into a new encrypted zip archive.

Hidden Folder with Staged Payloads T1564.001 – Hide Artifacts: Hidden Files and Directories Hidden staging folder with an identical naming convention

The stolen data includes... more than 4 million harvested browser cookies... The new variant of PXA Stealer will enumerate Chromium/Gecko browsers, decrypt any saved passwords, cookies... and any authentication tokens.

The new variant of PXA Stealer will enumerate Chromium/Gecko browsers, decrypt any saved passwords, cookies, stored personally identifiable information (PII), autofill data, and any authentication tokens.

All three harvest the same types of data—browser credentials, saved passwords... CrystalPDF.exe... covertly hijacking Firefox and Chrome browsers to access sensitive files... including cookies, session data, and credential caches.

System information queried using WMI and Python.

The collected data is packaged into ZIP archives then exfiltrated to a specific Telegram bot via Cloudflare Worker relays... Prior to transferring the exfiltrated data, the stealer packages stage data into an archive using the following naming convention where CC=Country Code: [CC_IPADDRESS]_HOSTNAME.zip

One of the payloads is a Python script that establishes communication with a remote server... Communication to command and control server.

Inspect network egress for POST requests to newly registered or suspicious domains... Exfiltration through curl.

Dropbox Used for Payload Staging T1102 – Web Service Trusted cloud platform abused as a payload host across campaigns

This component... retriev[es] additional malicious components, including Windows executable payloads hosted remotely on Dropbox... There are also conditions where the malware will reach out to external sources for additional Python payloads, such as 0x0[.]st... When retrieving files from paste[.]rs... constructs the full download URL hosting another payload.

Defense Evasion (TA0005) Data Encoding: Standard Encoding (T1132.001) Payload encoded with XOR, Base64, bzip2, and zlib across multiple layers

hxxps://bagumedios[.]cloud/assets/media/others/ADN/pure URL Used to deliver PureRAT payload (PXA Stealer: Campaign 1)

collected sensitive information, and exfiltrated the data via Telegram... then send everything to attacker servers... Exfiltration through curl.

The final payload, PXA Stealer, exfiltrates... to Telegram channels via automated bot networks... The collected data is packaged into ZIP archives then exfiltrated to a specific Telegram bot via Cloudflare Worker relays... PXA Stealer transmits data via HTTP POST requests to the Telegram API.

This campaign exemplifies a growing trend in which legitimate infrastructure (e.g., Telegram, Cloudflare Workers, Dropbox) is weaponized at scale... Data is exfiltrated to Telegram via connection via Cloudflare workers.