Sophisticated Infostealer Operation Targets Telegram, Dropbox & Cloudflare

Uploaded on 2025-08-04 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

A joint investigation by SentinelLabs and Beazley Security has uncovered a rapidly evolving infostealer campaign driven by the Python-based PXA Stealer. First identified in late 2024, this campaign has grown into a highly sophisticated, multi-stage operation targeting victims across 62 countries.

The malware, linked to Vietnamese-speaking cybercriminals, has compromised over 2,000 unique IP addresses, stealing more than 200,000 passwords, hundreds of credit card details, and over 4 million browser cookies.

The operation leverages legitimate platforms like Telegram, Dropbox, and Cloudflare Workers to execute and monetise data theft, marking a significant evolution in cybercriminal tradecraft.

Advanced Evasion Tactics

The PXA Stealer campaign employs advanced anti-analysis techniques to evade detection. Attackers use legitimate software, such as Haihaisoft PDF Reader and Microsoft Word 2013, to sideload malicious DLLs, concealing their activities within seemingly benign applications. These campaigns incorporate non-malicious decoy documents, such as fake copyright infringement notices, to mislead users and analysts. Additionally, attackers disguise malicious archives as common file types like PDFs and PNGs, using tools like certutil and WinRAR to extract and execute payloads. These layered evasion strategies cause sandbox timeouts and false negatives, delaying detection by endpoint security tools.

Infection Chain Evolution

The campaign’s infection chain has evolved significantly since its inception. In April 2025, attackers distributed compressed archives containing signed Haihaisoft PDF Reader executables alongside malicious DLLs. These DLLs established persistence via Windows Registry modifications and retrieved additional payloads from Dropbox. By July 2025, the campaign shifted to using Microsoft Word 2013 executables, renamed to appear as legitimate documents, to sideload malicious DLLs like msvcr100.dll. A decoy document, Tax-Invoice-EV.docx, is displayed to victims, while hidden scripts orchestrate the deployment of a Python-based PXA Stealer payload, renamed as svchost.exe to blend into system processes.

Data Theft & Telegram Monetisation

 PXA Stealer targets a wide range of sensitive data, including credentials, browser autofill data, cryptocurrency wallet details, and financial application records. The malware supports data theft from numerous browsers, including Chrome, Edge, Brave, and Opera, as well as cryptocurrency wallet extensions like Exodus and Ledger Live.

It also targets FinTech platforms such as Binance, Coinbase, and PayPal. Stolen data is packaged into ZIP archives and exfiltrated to Telegram channels via Cloudflare Worker relays, using specific bot tokens and chat IDs, hese Telegram channels, including “James_New_Ver_bot” and “MRB_NEW_VER_BOT,” automate data resale through a subscription-based underground ecosystem for downstream criminal use.

Victim Impact 

Analysis of exfiltrated logs reveals over 2,000 unique victims across 62 countries, with South Korea, the United States, the Netherlands, Hungary, and Austria being the most affected. Certain bot IDs, such as ADN_2_NEW_VER_BOT, show a preference for targeting Israel and Taiwan.

The stolen data, including passwords, cookies, and financial records, provides cybercriminals with extensive access to victims’ accounts, enabling cryptocurrency theft and organisational breaches.

The campaign’s scale and automation highlight the growing threat of infostealer ecosystems that exploit legitimate infrastructure for efficiency and cost reduction.

Attribution & Infrastructure Abuse

 The campaign is attributed to Vietnamese-speaking threat actors, with Telegram profiles displaying Vietnamese-language artifacts, such as “Đức Anh” (meaning “brother”). The Telegram bot infrastructure facilitates automated data exfiltration and communication. Attackers also use temporary file-hosting services like paste.rs and 0x0.st to deliver obfuscated Python payloads. Cloudflare Workers, such as lp2tpju9yrz2fklj.lone-none-1807.workers.dev, were abused for data exfiltration but were disrupted following reports to Cloudflare.

The campaign’s reliance on Telegram’s developer-friendly API and lax oversight underscores the platform’s role in enabling cybercrime.

A Growing Cybercriminal Ecosystem  

The PXA Stealer campaign exemplifies the increasing sophistication of infostealer operations, blending legitimate tools with advanced evasion techniques to bypass traditional defences. By automating data theft and monetisation through Telegram, attackers streamline their operations, feeding stolen data into cybercrine marketplaces for resale.

This campaign highlights the need for defenders to adapt to a threat landscape defined by infrastructure abuse, automation, and real-time monetisation.

SentinelLabs and Beazley Security’s collaboration underscores the importance of shared intelligence in combating such threats. Organisations are urged to enhance detection capabilities and user awareness to mitigate the risks posed by these evolving cyberattacks.  

SentinelLabs  |  SentinelLabs  |  Trend Micro

Image: ar-chi

You Might Also Read:

Protecting Business From The Infostealer Threat:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« AI Transforms Google Search: What It Means For Users, Websites & The Internet [extract]
Cybersecurity Leadership - The 15% Advantage »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Site24x7

Site24x7

Site24x7 is an AI-powered observability platform for DevOps and IT operations.

Second Nature Security (2NS)

Second Nature Security (2NS)

2NS provide vulnerability assessment, penetration testing, security audit, application and network security and secure software development processes.

KLC Consulting

KLC Consulting

KLC Consulting offers information assurance / Security, IT Audit, and Information Technology products and services to government and Fortune 1000 companies.

Cryptovision

Cryptovision

Cryptovision GmbH is one of the leading specialists for modern, user-friendly cryptography and solutions for secure electronic identities.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Phosphorus Cybersecurity

Phosphorus Cybersecurity

Phosphorus has fully automated remediation of the two biggest IoT vulnerabilities, out of date firmware and default credentials.

Nexum

Nexum

Nexum takes a comprehensive approach to security, from detecting and preventing network threats, to equipping you with the information, tools and training you need to effectively manage IT risk.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

e5 Lab

e5 Lab

e5 Lab seeks to develop solutions to challenges faced by the shipping industry including digital transformation, autonomous technologies and big data in order to promote safe and efficient operations.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

Clearvision

Clearvision

As an Atlassian Platinum Solution Partner, Clearvision works with teams in the UK and US, providing solutions for the Atlassian stack, Git and open source tooling.

Commvault

Commvault

Commvault's data protection and information management solutions help companies protect, access and use all of their data, anywhere and anytime.

AuthMind

AuthMind

Prevent your next identity-related cyberattack with the AuthMind Identity SecOps Platform. It works anywhere and deploys in minutes.

Interpres Security

Interpres Security

Interpres Security operationalizes TTP-based threat intelligence and automates continuous exposure monitoring to help CISOs and security practitioners reduce threat exposure.

Karthik Consulting (KC)

Karthik Consulting (KC)

Karthik Consulting is a technology service provider specializing in IT services for the U.S. federal government.

Wisr AI

Wisr AI

Wisr AI helps enterprises assess not only their own internal Cyber Risk posture, but also helps prioritize the inherent risk faced through 3rd party infrastructure and supply chain connections.