Cyble dissects a LinkedIn job‑lure campaign, exposing its multi‑stage PXA Stealer tactic that hijacks accounts and steals sensitive data.

Cyble's publication is a resource for cybersecurity professionals and businesses seeking to stay ahead of evolving cyber threats. Through detailed analysis of threat intelligence, cybersecurity trends, and real-world cyber incidents, Cyble provides  insights into emerging threats, cyber attack tactics, and risk mitigation strategies. Readers can learn about threat detection methodologies, vulnerability assessment techniques, incident response protocols, and compliance standards to enhance their cybersecurity posture. Additionally, Cyble offers expert commentary, best practices, and actionable recommendations to help organizations protect their digital assets, safeguard sensitive data, and maintain business continuity in the face of cyber threats.

Cyble

CRIL researchers detail an active PXA Stealer campaign attributed with high confidence to a Vietnam-based cybercriminal group targeting job seekers across India, Bangladesh, the Netherlands, Sweden, and the US. Threat actors use compromised LinkedIn accounts to distribute fake job offers, funneling victims through Google Forms and Dropbox-hosted ZIP archives. The infection chain uses DLL sideloading via a renamed winword.exe, a 100 MB padded malicious DLL to bypass size-based scanners, multi-layer encoding (XOR, Base64, bzip2, zlib), and fully in-memory Python execution. C2 infrastructure is dynamically retrieved from an encrypted Telegram channel, with the C2 IP masquerading as Chinese government infrastructure. The stealer harvests browser credentials, session cookies, 2FA tokens, cryptocurrency wallet data, and email client credentials. Compromised LinkedIn accounts are then weaponized to propagate the lure to victims' professional connections, creating a compounding spread effect. The report includes full MITRE ATT&CK mapping, TTP comparison across known PXA campaigns, and defensive recommendations.

Professional Networks Under Attack By Infostealer

Comparative TTP Analysis: PXA Stealer Campaigns

What Should Businesses Expect When Infected with PXA Stealer?