Sophisticated Infostealer Operation Targets Telegram, Dropbox & Cloudflare

Uploaded on 2025-08-04 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

A joint investigation by SentinelLabs and Beazley Security has uncovered a rapidly evolving infostealer campaign driven by the Python-based PXA Stealer. First identified in late 2024, this campaign has grown into a highly sophisticated, multi-stage operation targeting victims across 62 countries.

The malware, linked to Vietnamese-speaking cybercriminals, has compromised over 2,000 unique IP addresses, stealing more than 200,000 passwords, hundreds of credit card details, and over 4 million browser cookies.

The operation leverages legitimate platforms like Telegram, Dropbox, and Cloudflare Workers to execute and monetise data theft, marking a significant evolution in cybercriminal tradecraft.

Advanced Evasion Tactics

The PXA Stealer campaign employs advanced anti-analysis techniques to evade detection. Attackers use legitimate software, such as Haihaisoft PDF Reader and Microsoft Word 2013, to sideload malicious DLLs, concealing their activities within seemingly benign applications. These campaigns incorporate non-malicious decoy documents, such as fake copyright infringement notices, to mislead users and analysts. Additionally, attackers disguise malicious archives as common file types like PDFs and PNGs, using tools like certutil and WinRAR to extract and execute payloads. These layered evasion strategies cause sandbox timeouts and false negatives, delaying detection by endpoint security tools.

Infection Chain Evolution

The campaign’s infection chain has evolved significantly since its inception. In April 2025, attackers distributed compressed archives containing signed Haihaisoft PDF Reader executables alongside malicious DLLs. These DLLs established persistence via Windows Registry modifications and retrieved additional payloads from Dropbox. By July 2025, the campaign shifted to using Microsoft Word 2013 executables, renamed to appear as legitimate documents, to sideload malicious DLLs like msvcr100.dll. A decoy document, Tax-Invoice-EV.docx, is displayed to victims, while hidden scripts orchestrate the deployment of a Python-based PXA Stealer payload, renamed as svchost.exe to blend into system processes.

Data Theft & Telegram Monetisation

 PXA Stealer targets a wide range of sensitive data, including credentials, browser autofill data, cryptocurrency wallet details, and financial application records. The malware supports data theft from numerous browsers, including Chrome, Edge, Brave, and Opera, as well as cryptocurrency wallet extensions like Exodus and Ledger Live.

It also targets FinTech platforms such as Binance, Coinbase, and PayPal. Stolen data is packaged into ZIP archives and exfiltrated to Telegram channels via Cloudflare Worker relays, using specific bot tokens and chat IDs, hese Telegram channels, including “James_New_Ver_bot” and “MRB_NEW_VER_BOT,” automate data resale through a subscription-based underground ecosystem for downstream criminal use.

Victim Impact 

Analysis of exfiltrated logs reveals over 2,000 unique victims across 62 countries, with South Korea, the United States, the Netherlands, Hungary, and Austria being the most affected. Certain bot IDs, such as ADN_2_NEW_VER_BOT, show a preference for targeting Israel and Taiwan.

The stolen data, including passwords, cookies, and financial records, provides cybercriminals with extensive access to victims’ accounts, enabling cryptocurrency theft and organisational breaches.

The campaign’s scale and automation highlight the growing threat of infostealer ecosystems that exploit legitimate infrastructure for efficiency and cost reduction.

Attribution & Infrastructure Abuse

 The campaign is attributed to Vietnamese-speaking threat actors, with Telegram profiles displaying Vietnamese-language artifacts, such as “Đức Anh” (meaning “brother”). The Telegram bot infrastructure facilitates automated data exfiltration and communication. Attackers also use temporary file-hosting services like paste.rs and 0x0.st to deliver obfuscated Python payloads. Cloudflare Workers, such as lp2tpju9yrz2fklj.lone-none-1807.workers.dev, were abused for data exfiltration but were disrupted following reports to Cloudflare.

The campaign’s reliance on Telegram’s developer-friendly API and lax oversight underscores the platform’s role in enabling cybercrime.

A Growing Cybercriminal Ecosystem  

The PXA Stealer campaign exemplifies the increasing sophistication of infostealer operations, blending legitimate tools with advanced evasion techniques to bypass traditional defences. By automating data theft and monetisation through Telegram, attackers streamline their operations, feeding stolen data into cybercrine marketplaces for resale.

This campaign highlights the need for defenders to adapt to a threat landscape defined by infrastructure abuse, automation, and real-time monetisation.

SentinelLabs and Beazley Security’s collaboration underscores the importance of shared intelligence in combating such threats. Organisations are urged to enhance detection capabilities and user awareness to mitigate the risks posed by these evolving cyberattacks.  

SentinelLabs  |  SentinelLabs  |  Trend Micro

Image: ar-chi

You Might Also Read:

Protecting Business From The Infostealer Threat:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« AI Transforms Google Search: What It Means For Users, Websites & The Internet [extract]
Cybersecurity Leadership - The 15% Advantage »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

Ovarro

Ovarro

Ovarro is the new name for Servelec Technologies and Primayer. Ovarro's technology is used throughout the world to monitor, control and manage critical and national infrastructure.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

HvS Consulting

HvS Consulting

HvS Consulting is a specialist information security company offering a full range of services including IT security architecture, ISO 27001 audits, Pentesting, Security monitoring and Training.

Cyber Academy

Cyber Academy

Cyber Academy is one of the first institutions in the SE Europe region that provides a hands-on program in cyber security, blockchain and AI.

CARICERT

CARICERT

CARICERT is the National Cyber Emergency Response Team of Curacao in the Caribbean.

NFIR

NFIR

NFIR is a specialist in the field of cyber security incident response and digital forensics.

Cloud GRC

Cloud GRC

Cloud GRC is an innovative cybersecurity company with solutions and expertise in Cybersecurity Strategies & Frameworks, Threat & Risk Assessment, Cloud Security, and Regulatory Compliance Requirements

Vulcan Cyber

Vulcan Cyber

At Vulcan, we’re modernizing the way enterprises reduce their cyber risk. From detection to resolution, we automate and orchestrate the vulnerability remediation process dynamically and at scale.

TWC IT Solutions

TWC IT Solutions

Since 2011, TWC IT Solutions has offered managed IT Support, Cybersecurity, Disaster Recovery, Contact Centre and Business Connectivity services to clients across 24 countries globally.

Check Point Software Technologies

Check Point Software Technologies

Check Point Software Technologies is a leading provider of cyber security solutions to governments and corporate enterprises globally.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

C2 Risk

C2 Risk

C2 Risk are focussed on risk analytics for information assurance, privacy and ESG (Environmental, Social, and Governance).

Thero6

Thero6

Thero6 develop dynamic financial analysis algorithms that help prevent coin collapses and theft of cryptocurrency funds by identifying the transaction absolutely throughout the chain.

MOBIA Technology Innovations

MOBIA Technology Innovations

MOBIA is a leading Canadian business transformation partner, helping businesses across industries evolve.