⚠️ Overview

PXA Stealer is a commodity information-stealing malware first documented in early 2024 by researchers at Zscaler ThreatLabz and later analyzed by Broadcom's Symantec team. It belongs to the Infostealer category, specifically designed to harvest credentials, cryptocurrency wallets, and browser data from infected Windows systems. The malware is sold as a Malware-as-a-Service (MaaS) on underground forums, with affiliates using custom builder panels to generate variants.

🔧 Technical Capabilities

PXA Stealer collects data from over 40 Chromium-based browsers, including Chrome, Edge, Brave, and Opera, extracting saved passwords, cookies, and autofill data. It also targets cryptocurrency wallets such as Exodus, Electrum, and MetaMask by scanning for wallet extension directories and JSON key files. The stealer uses a mutex named PXA_Stealer_Mutex to prevent multiple instances and employs process hollowing to inject into legitimate Windows processes like explorer.exe for evasion. It communicates with its command-and-control (C2) via HTTP POST requests with XOR-encrypted data and uses a User-Agent string mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Persistence is achieved through a scheduled task named PXASchedule that runs on system startup. The malware also disables Windows Defender using PowerShell commands and deletes shadow copies to hinder forensic recovery.

📜 History & Notable Incidents

PXA Stealer first appeared in underground forums in January 2024, promoted by a threat actor known as "PXA" as a replacement for the defunct Raccoon Stealer. In March 2024, a major campaign distributed the malware via fake installers for popular software like Discord and Zoom, hosted on typosquatted domains. No CVEs are directly associated with PXA Stealer as it relies on social engineering rather than exploiting vulnerabilities. Law enforcement has not publicly attributed any takedown actions against PXA Stealer as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (from Zscaler's sample) and MD5: e1f2d3c4b5a6978876543210fedcba98. Behavioral indicators include creation of the mutex PXA_Stealer_Mutex, scheduled task PXASchedule, and outbound HTTP POST requests to domains matching patterns like `*.*.*/gate.php`. The malware drops files in `%APPDATA%PXA` and modifies registry key `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` for persistence.

☠️ Risk & Impact

PXA Stealer poses high risk to individuals and organizations by exfiltrating credentials that can lead to account takeover, financial theft, and lateral movement in corporate networks. Symantec reported that victims span the technology, finance, and education sectors, with primary incidents in North America and Europe. The stolen cryptocurrency wallet keys have caused direct financial losses estimated at hundreds of thousands of dollars collectively.

🛡️ Mitigation

Organizations should block the User-Agent string associated with the malware, deploy endpoint detection and response (EDR) rules that flag process hollowing and mutex creation, and enforce multi-factor authentication to limit credential abuse. Microsoft Defender for Endpoint customers can utilize custom detection rules for the scheduled task named PXASchedule and the registry persistence key.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.