Data theft has been in operation for quite some time now and its surreptitious nature both in the way of harnessing and utilising the data booty for ulterior gains is also known. That nothing substantial has been done about it is a different story.Recently, Vietnamese speaking hackers have been actively stealing sensitive data from thousands of victims across the globe. In this context it is imperative to know that Vietnam has been
identified as part of the “Digital Arrest” swindling mechanism.
Besides Vietnam cyber crime syndicates operate out of Cambodia, Myanmar, Laos and Thailand. In the global data theft operation the hackers deploy a Python-based malware known as PXA Stealer, first identified in late 2024, which targets a wide range of data including passwords, credit card details, browser cookies, cryptocurrency wallet information, and system metadata. The magnitude of this is vast, impacting over 4000 unique IP addresses in at least 62 countries, including the United States, South Korea, the Netherlands, Hungary, India and others.
PXA Stealer is delivered through malicious ZIP files often disguised as legitimate
software or documents such as Microsoft Word or Haihaisoft PDF Reader. These
archived files use sophisticated evasion techniques like DLL side-loading and multilayer staging to avoid detection by security tools. When executed, the malware collects data from browsers (including nearly 40 browser variants), VPN clients, cloud command-line utilities, and popular chat apps like Discord and Telegram itself. There is for sure a growing trend of cybercriminals weaponizing legitimate platforms like Telegram to automate and scale their illicit activities.
What sets this operation apart is its heavy reliance on Telegram for both data
exfiltration and criminal monetization. Stolen information is compressed and sent via Cloudflare Workers to Telegram bots controlled by the threat actors. These Telegram bots form part of an underground cybercriminal marketplace, where
stolen credentials, financial information, and session cookies are sold via
subscription services on channels such as Sherlock, Daisy Cloud, and Moon Cloud.
This framework allows widespread resale and exploitation by other criminals for financial fraud, cryptocurrency theft, and organizational breaches.
WHEN HACKERS TURN EVERYDAY APPS INTO GLOBAL BLACK MARKETS, YOUR PRIVATE DATA IS ONLY A MESSAGE AWAY FROM BEING WEAPONISED.
Sanjay Sahay
Have a nice evening.