PXA Stealer attacks are rising, with researchers reporting a 10% spike targeting financial firms. The malware uses phishing and Telegram to steal credentials and crypto data.

Read: https://hackread.com/financial-firms-rise-pxa-stealer-attacks/

#CyberSecurity #Malware #Infostealer #PXAStealer

🚨 #PXAStealer continues to evolve

Hitting government, education, and private users, it steals sensitive data via DLL sideloading and decoy legitimate files

👨‍💻 See overview of its methods and anti-analysis techniques: https://any.run/malware-trends/pxastealer/?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_term=081225&utm_content=linktomtt

#cybersecurity #infosec

🚨 How #Pxastealer Uses Masquerading: Execution Flow and TTPs.
⚠️ Pxastealer is delivered through archive links in #phishing emails, bypassing automated filters. Masquerading hides execution and gives attackers time to exfiltrate data.

Execution flow & TTPs:
1️⃣ Initial Access (T1566.002): A victim clicks a link to a malicious archive in a spearphishing email.
2️⃣ Execution & Cleanup (T1059.003, T1070.004): cmd.exe runs a long command chain and deletes traces.
3️⃣ Defense Evasion (1036.008, T1140, T1027): A fake Word file opens to mask background activity, while certutil -decode turns a fake “financial report” into an archive masked as Invoice.pdf. Another file posing as a .jpg unpacks the payload, hiding malicious activity behind trusted formats.
4️⃣ Execution / Masquerading (T1036.005): The attack unpacks Python files and runs Pxastealer under the name svchost.exe, using a trusted filename outside System32 to evade detection.
5️⃣ Persistence (T1547.001): Adds autorun via command line.
6️⃣ Exfiltration / C2 (T1567, T1071.001): Pxastealer exfiltrates data via Telegram.

👨‍💻 Examine Pxastealer behavior and collect #IOCs: https://app.any.run/tasks/eca98143-ba80-4523-ac82-e947c3e6bd74/?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_term=291025&utm_content=linktoservice
🔍 Further investigate the threat, track campaigns, and enrich IOCs with live attack data:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_content=linktoti&utm_term=291025#%7B%2522query%2522:%2522registryValue:%255C%2522cmd%2520/c%2520start%2520C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_content=linktoti&utm_term=291025#%7B%2522query%2522:%2522imagePath:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255Cadmin%255C%255C%255C%255CAppData%255C%255C%255C%255CLocal%255C%255C%255C%255CTemp%255C%255C%255C%255CRar*%255C%255C%255C%255C_%255C%255C%255C%255C%255C%2522%2520and%2520commandLine:%255C%2522-decode%2520*.pdf*.pdf%255C%2522%2522,%2522dateRange%2522:180%7D

IOCs:
Sha256: 81918ea5fa5529f04a00bafc7e3fb54978a0b7790cfc7a5dad9fa9640666560a (svchost.exe)

🚀 Gain full visibility with #ANYRUN to make faster, smarter security decisions.

#Cybersecurity #infosec

🚨 PXA Stealer spotted: Python-based malware w/ Telegram API-powered resale chain.

🧠 Delivered via sideloaded signed apps (MS Word, Haihaisoft), it harvests credentials, crypto, cookies, & exfiltrates to Telegram bots.

🎯 4K+ victims. 62+ countries. 200K+ passwords.

Automation + SaaS-like infostealer ops are here.
📣 Thoughts?

#InfoStealer #PXAStealer #TelegramBot #ThreatIntel #infosec #CyberCrime