Phishing ZIP Files Deploy PXA Stealer Hackers Against

A new wave of cyberattacks has placed financial institutions globally on high alert. Threat actors are aggressively deploying PXA Stealer, a potent information-stealing malware, against organizations across the world.

The surge follows law enforcement’s successful dismantling of major infostealer operations, including Lumma, Rhadamanthys, and RedLine, throughout 2025.

With those platforms gone, PXA Stealer has moved in to fill the gap, with researchers estimating its activity grew by 8 to 10 percent during the first quarter of 2026.

These campaigns use phishing emails carrying malicious URLs that direct victims to download ZIP files packed with hidden malware.

The attackers use a wide range of decoy documents to lure targets — from fake resumes and Adobe Photoshop installers to tax forms and legal paperwork.

This variety ensures the threat can reach employees across many departments in a financial organization, making it difficult to defend against with one-size-fits-all email filters.

CyberProof analysts and threat researchers identified this growing campaign during Q1 2026, noting its deliberate focus on global financial institutions.

Their investigation centered on a campaign cluster tied to a bot identifier labeled “Verymuchxbot,” which differed in several key ways from publicly reported PXA Stealer activity from August 2025.

By tracing the full kill chain — from the first phishing email through to final data theft — the team was able to document exactly how the malware reaches its target.

PXA Stealer is built to quietly collect browser credentials, saved passwords, and cryptocurrency wallet data from infected machines.

After harvesting this information, it sends everything to the attacker through Telegram channels, which helps the outbound traffic avoid scrutiny.

The malware also writes a registry entry to ensure it keeps running even after the machine is restarted, giving attackers long-term access to the compromised system.

What sets this campaign apart is how naturally it blends into normal system activity. The attackers use legitimate Windows tools and rename files to match trusted process names, reducing the chance of detection.

As PXA Stealer’s reach continues to expand, organizations in the financial sector face a growing, real risk to their data.

Inside the Infection Chain

The attack starts when a victim is tricked into downloading a ZIP archive named Pumaproject.zip from the domain downloadtheproject[.]xyz.

The archive contains a file called Document.docx.exe, designed to look like a harmless Word document.

When the victim runs it, the malware springs into action, extracting a Python interpreter, several Python libraries, and malicious scripts, while creating a hidden folder called “Dots” to store the remaining attack components. 

Inside the “Dots” folder, the attackers store a legitimate WinRar binary renamed as picture.png, alongside an encrypted archive disguised as Shodan.pdf.

The Windows tool certutil decodes this file, after which the WinRar binary unpacks the archive using the password “shodan2201”. 

Its contents land in C:UsersPublicWindowsSecure, and the Python interpreter is renamed to svchost.exe to pass as a trusted Windows process. 

A heavily obfuscated Python script, disguised as images.png, is then launched with the $BOT_ID argument pointing to “Verymuchxbot.”

The script hooks into the victim’s browsers to intercept credentials and crypto wallet data during active sessions.

All stolen data is finally sent out over Telegram to attacker-controlled channels. Security teams should monitor emails for suspicious URLs and ZIP or RAR attachments, especially those with file names suggesting invoices, bills, or job-related content.

Outbound connections to top-level domains such as .xyz, .shop, .info, and .net should be blocked, with source file context always reviewed.

Traffic directed toward third-party messaging apps like Telegram should be audited for unauthorized data movement.

EDR alerts for process injection should be treated with urgency, and CTI feeds along with threat hunting queries should be kept current to detect emerging infostealer threats before they cause damage.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.