4,000+ Victims Targeted By Telegram-Based Infostealer Operation

The Python-based malware PXA Stealer enables hackers to steal data from thousands of users without being detected, and later sell it through Telegram.

Researchers at SentinelLabs report that the Python-based PXA Stealer malware has launched a new powerful cyber attack that has infected thousands of computers in at least 62 countries, stealing more than 200,000 passwords, credit card information, as well as millions of browser cookies..

The operation, which first appeared in late 2024, has grown increasingly sophisticated in 2025. The operation uses fake downloads such as Haihaisoft PDF Reader, or Microsoft Word 2013, to trick users into opening malicious files.

These files then install malware stealing sensitive information such as, cryptocurrency wallet details, saved passwords, browser history, and subsequently sending them to private Telegram channels via automated bots.

Researchers say “the threat actors behind these campaigns are linked to Vietnamese-speaking cybercriminal circles” that profit from selling the stolen data using Telegram’s API.

The malware, PXA Stealer, uses sophisticated methods to hide its presence. For example, it conceals its files through fake names such as “images.png” and “Document.pdf” and employs signed programs to evade detection. Once installed, it  performs data extraction through Telegram which the researchers say, enables it to remain undetected by most antivirus software.

Victims include users from South Korea, the U.S., the Netherlands, Hungary, and Austria. Telegram is used not only to send data but also to organize and manage the stolen information. One bot, called ‘Logs_Data_bot’, connects to multiple channels like ‘James – New Logs’ or ‘Adonis – Reset Logs’, which categorize the stolen data and send automated updates to hackers.

“Each bot is tied to as many as 3 Telegram channels,” said the researchers, and the data is neatly sorted and packaged for quick resale on services like Sherlock.

The investigation shows how cybercriminals are now using platforms like Telegram and Cloudflare to run operations quickly, cheaply, and at scale, turning information theft into a highly efficient business.