CRIL researchers detail an active PXA Stealer campaign attributed with high confidence to a Vietnam-based cybercriminal group targeting job seekers across India, Bangladesh, the Netherlands, Sweden, and the US. Threat actors use compromised LinkedIn accounts to distribute fake job offers, funneling victims through Google Forms and Dropbox-hosted ZIP archives. The infection chain uses DLL sideloading via a renamed winword.exe, a 100 MB padded malicious DLL to bypass size-based scanners, multi-layer encoding (XOR, Base64, bzip2, zlib), and fully in-memory Python execution. C2 infrastructure is dynamically retrieved from an encrypted Telegram channel, with the C2 IP masquerading as Chinese government infrastructure. The stealer harvests browser credentials, session cookies, 2FA tokens, cryptocurrency wallet data, and email client credentials. Compromised LinkedIn accounts are then weaponized to propagate the lure to victims' professional connections, creating a compounding spread effect. The report includes full MITRE ATT&CK mapping, TTP comparison across known PXA campaigns, and defensive recommendations.
Table of contents
Executive SummaryKey TakeawaysOverviewPXA Stealer: History and EvolutionComparative TTP Analysis: PXA Stealer CampaignsWhat Should Businesses Expect When Infected with PXA Stealer?Technical Analysis:ConclusionHow can Cyble help?RecommendationsMITRE ATT&CK MappingSort: