Cybersecurity researchers are turning their attention to a new wave of campaigns that distribute Python-based information steelers, known as Pyson-based information steelers.
According to a joint report published by Beazley Security and Sentinelone and shared with Hacker News, it is rated as the job of Vietnamese-speaking cybercriminals who monetize stolen data through a subscription-based underground ecosystem.
“The discovery incorporates a pipeline of cured command and controls that irritate trade leaps, more nuanced anti-analytical techniques, non-malicious decoy content, and a hardened pipeline of command and controls that attempt to irrigate and slow detection,” said security researchers Jim Walter, Alex Delamott, Francisco Donoso, Franche and Sam Meise.
The campaign has infected over 4,000 unique IP addresses across 62 countries, including South Korea, the US, the Netherlands, Hungary and Austria. Data captured via Steeler includes over 200,000 unique passwords, hundreds of credit card records, and over 4 million harvested browser cookies.
The PXA Stealer was first documented by Cisco Talos in November 2024 and was attributed to attacks targeting governments and educational institutions in Europe and Asia. You can harvest passwords, automatic browser fill data, cryptocurrency wallets, and information from financial institutions.
Data stolen by malware using Telegram is fed to crime platforms like Sherlock, the provider of Steeler Logs. There, downstream threat actors sprint through the Cybercriminal ecosystem on scale, purchasing information to stolen and infiltrate cryptocurrency.
The 2025 malware distribution campaign witnessed a steady tactical evolution using threat actors to fly DLL sideloading technology and elaborate staging layers under radar.
Malicious DLLs note that they perform the rest of the infection sequence, paving the way for steelers to unfold, but not before they take steps to show decoy documents such as copyright infringement notices to victims.
Stealer is an updated version with the ability to extract cookies from Chromium-based web browsers by injecting DLLs into running instances with the aim of beating out app-bound encryption safeguards. It also plantes data from applications such as VPN clients, Cloud Command Line Interface (CLI) utilities, connected file sharing, and Discord.
“PXA Stealer uses botids (stored as token_bot) to establish a link between the main bot and various Chatids (stored as chat_id),” the researchers said. “Chatids is a Telegram channel with a variety of properties, but it mainly helps host Exftrated data and provide updates and notifications to operators.”
“This threat has matured into a highly evasive multi-stage operation driven by Vietnamese-speaking actors with obvious connections to the organized cybercriminal telegram-based market that sells stolen victim data.”
Source link
