Hackers linked to Vietnamese-speaking cybercriminal groups have stolen sensitive data from thousands of victims across the world as part of an ongoing cybercrime campaign that uses the messaging platform Telegram to automate the resale of compromised information, researchers have found.
According to new reports by Beazley Security Labs and SentinelLabs, the attackers have used a Python-based malware called PXA Stealer to collect passwords, financial credentials, browser cookies and cryptocurrency wallet data from infected devices in at least 62 countries, including the United States, South Korea, the Netherlands, Austria and Hungary.
The campaign is “rapidly evolving,” the research teams jointly said, adding that “PXA Stealer, and the threat actors behind it, continue to feed the greater infostealer ecosystem.”
The researchers identified multiple Telegram bots with Vietnamese-language names linked to a central channel known as @Lonenone, which featured a Vietnam flag emoji and had been associated with Vietnamese threat actors in previous reports. In an earlier campaign described by Cisco Talos, hackers linked to Vietnam used PXA Stealer to target government and education entities in Europe and Asia.
Beazley Security and SentinelLabs identified more than 4,000 unique victim IP addresses in the stolen logs. The hackers exfiltrated over 200,000 passwords, hundreds of credit card records, and more than 4 million browser cookies, which can be used to hijack online accounts and steal money.
The hackers sent phishing lures that tricked users into downloading seemingly legitimate software — such as Microsoft Word 2013 or Haihaisoft PDF Reader — bundled with malicious files. In a recent wave observed in July, attackers used a signed Microsoft Word executable disguised as a document displaying a fake copyright infringement notice. The lure didn’t include malicious links, likely to evade detection by security tools.
Once deployed, PXA Stealer collects a wide range of information, including data from digital wallets, VPN clients, Discord and cloud file-sharing applications. The stolen data is compressed into ZIP files and sent through the Cloudflare Workers service to Telegram bot channels. The researchers said they reported the abuse of Cloudflare Workers to the company, which “took immediate action” to disrupt the attackers’ infrastructure.
The hackers profit from the campaign by feeding the stolen data into Telegram-based subscription services that automate resale to other criminals. Services like Sherlock, Daisy Cloud, and Moon Cloud make the data “sales-ready” for threat actors who specialize in financial fraud, cryptocurrency theft, or organizational breaches, the researchers said.
According to researchers, this operation highlights a broader trend in which legitimate services, including Telegram, are being weaponized at scale by cybercriminals to carry out and monetize information theft.
“The developer-friendly nature of Telegram–combined with the company’s laissez-faire attitude towards cybercrime–underscores the crucial role that Telegram plays in the holistic cybercriminal ecosystem,” researchers added.
Recorded Future
Intelligence Cloud.
Click Here For The Original Source.
