Phishing ZIP Files Used to Deploy PXA Stealer Targeting Financial Firms

A significant surge in PXA Stealer campaigns targeting global financial institutions during Q1 2026.

This marks a notable shift in the infostealer landscape, filling the gap left by the takedowns of major malware families like Lumma, Rhadamanthys, and RedLine in 2025.

Researchers estimate PXA Stealer activity increased by nearly 8–10% as threat actors rapidly adapt.

Attacks primarily begin with phishing emails containing malicious links leading to ZIP archive downloads.

These archives use convincing lures such as job applications, tax documents, legal files, or software installers like Adobe Photoshop.

In one investigated case, a victim downloaded “Pumaproject.zip” from a suspicious domain.

Kill Chain of investigated PXA Stealer incident (Source : CyberProof).
Kill Chain of investigated PXA Stealer incident (Source : CyberProof).

CyberProof MDR analysts and Threat Researchers identified a significant surge in PXA Stealer targeting global financial institutions.

Inside the archive, an executable named “Document.docx.exe” tricked users via double file extensions.

Phishing ZIP Files

Execution initiates a complex, multi-stage attack. It unpacks a hidden directory containing a Python interpreter, supporting libraries, and scripts.

A decoy Word document displays while malicious processes run in the background.

Attackers use Living-off-the-Land Binaries (LOLBins) for evasion. For example, Windows utility certutil.exe decodes hidden payloads into an encrypted archive disguised as a PDF file.

A renamed WinRAR executable, masquerading as “picture.png,” extracts the archive.

The payload deploys to a directory like “C:\Users\Public\WindowsSecure,” using a password-protected archive. The Python interpreter is renamed to “svchost.exe” to blend in.

Microsoft document used for side loading next stage payload (Source : CyberProof).
Microsoft document used for side loading next stage payload (Source : CyberProof).

The renamed interpreter executes an obfuscated Python script, often disguised as an image file. This script references a Telegram bot identifier, e.g., “Verymuchxbot,” for command-and-control.

Dropping Python Interpreter disguised as svchost.exe (Source : CyberProof).
Dropping Python Interpreter disguised as svchost.exe (Source : CyberProof).

Once active, PXA Stealer injects into web browsers to harvest sensitive data: saved credentials, browsing sessions, cryptocurrency wallet info, and real-time interception of targeted site activity.

Stolen data is exfiltrated via Telegram channels, highlighting legitimate platforms for covert transfer. It establishes persistence via modified Windows registry entries.

Variations include folder name changes, payload delivery techniques, and bot identifiers, allowing evasion of signature-based detection.

The legitimate WinRAR executable in the “Dots” folder renamed picture.png unpacks the archive.

Winrar disguised as picture.png unpacks the archive (Source : CyberProof).
Winrar disguised as picture.png unpacks the archive (Source : CyberProof).

While the overall kill chain resembles earlier PXA campaigns from 2025, subtle changes were observed.

The opportunistic lures suggest attackers target broadly across financial organizations, increasing compromise likelihood.

Mitigations

Security teams should monitor for suspicious email attachments, especially ZIP or RAR files with misleading names.

Execution of scripts like VBS, VBE, or JavaScript from temporary or email directories should be treated as high risk.

Organizations should watch for unusual process behavior, including process injection and execution of renamed binaries (e.g., svchost.exe) from non-standard locations.

Outbound connections to uncommon domains (.xyz, .shop) should be investigated, especially linked to file downloads.

Monitoring traffic to messaging platforms like Telegram can detect data exfiltration attempts.

Keeping threat intelligence feeds updated and proactively hunting for PXA Stealer indicators can improve defenses.

Related Articles

Back to top button