Financial institutions are facing a heightened cyber threat as threat actors intensify their use of PXA Stealer, an advanced information-stealing malware. This escalation follows significant law enforcement actions in 2025 that dismantled major infostealer operations like Lumma, Rhadamanthys, and RedLine. Analysts from CyberProof have identified a new campaign cluster, identified by the bot identifier “Verymuchxbot,” which is specifically targeting global financial firms and shows an estimated 8-10% increase in activity during the first quarter of 2026.
These malicious campaigns typically commence with phishing emails containing deceptive URLs. These links direct unsuspecting victims to download ZIP files laden with hidden malware. The attackers employ a diverse array of decoy documents to ensnare their targets. These lures range from fraudulent resumes and fake Adobe Photoshop installers to fabricated tax forms and legal paperwork. This broad approach ensures the threat can infiltrate various departments within a financial organization, making it challenging to defend against with generalized email filtering solutions.
Inside the Infection Chain of PXA Stealer
The infection chain documented by security researchers begins when a victim is enticed to download a ZIP archive, specifically named “Pumaproject.zip,” from a domain identified as downloadtheproject[.]xyz. Upon execution, the archive unpacks a file masquerading as a standard Word document, labeled “Document.docx.exe.” Once run, the malware initiates a multi-stage process. It extracts a Python interpreter, several associated Python libraries, and a collection of malicious scripts. Concurrently, it establishes a covertly named folder, designated “Dots,” to house the subsequent components of the attack infrastructure.
Within the “Dots” folder, attackers strategically place a legitimate WinRar binary, which has been renamed to “picture.png” to evade initial detection. Alongside this, a heavily encrypted archive is concealed under the guise of “Shodan.pdf.” The Windows utility certutil is employed to decrypt this file. Following decryption, the renamed WinRar binary is activated to unpack the archive. This unpacking process relies on a hardcoded password, identified as “shodan2201.”
The unpacked contents are then meticulously deposited into the directory C:UsersPublicWindowsSecure. The Python interpreter, crucial for the malware’s functionality, is renamed to “svchost.exe.” This renaming tactic aims to make the malicious process appear as a legitimate and trusted Windows system service, thereby reducing the likelihood of it being flagged by security software.
Subsequently, a sophisticated Python script, deeply obfuscated and disguised as “images.png,” is executed. This script is launched with a specific argument, “$BOT_ID,” which is set to the unique identifier “Verymuchxbot.” This script is designed to systematically hook into the victim’s active browser sessions. Its primary objective is to intercept and exfiltrate sensitive user credentials, as well as data related to cryptocurrency wallets stored within those browsers.
All the pilfered data is then systematically exfiltrated by the malware. The exfiltration process utilizes Telegram channels, directing the stolen information to attacker-controlled endpoints. This method leverages the inherent messaging capabilities of Telegram to help the outbound traffic avoid immediate scrutiny from network security monitoring systems. Furthermore, the malware establishes a registry entry to ensure its persistent presence and continuous operation, even after the compromised system has been restarted, granting attackers enduring access to the compromised system.
This particular campaign is distinguished by its calculated effort to blend seamlessly with normal system operations. The attackers have demonstrated a proficiency in utilizing legitimate Windows tools and deliberately renaming their malicious files to mimic the naming conventions of trusted processes. This sophisticated evasion technique significantly diminishes the probability of detection by standard security measures.
As the operational scope of PXA Stealer continues to broaden, organizations operating within the financial sector are confronted with an escalating and tangible risk to their sensitive data assets. Security teams are advised to maintain vigilance regarding suspicious URLs and ZIP or RAR attachments in incoming emails, particularly those that propose invoices, bills, or employment-related content. Additionally, outbound connections to top-level domains such as .xyz, .shop, .info, and .net should be rigorously monitored and potentially blocked. It is also recommended to scrutinize source file contexts and audit traffic directed toward third-party messaging applications like Telegram for any unauthorized data movement. EDR alerts related to process injection warrant immediate investigation, and the continuous updating of CTI feeds along with threat hunting queries is essential for proactively detecting emerging information-stealing threats before they can inflict significant damage.