PXA
PXA Stealer is a Python-based information stealer linked to Vietnamese-speaking threat actors. Microsoft identified it in phishing-delivered campaigns observed in October 2025 and December 2025. The malware can harvest login credentials, financial information, and browser data; more broadly, Microsoft noted Python-based stealers collect login credentials, session cookies, authentication tokens, credit card numbers, and cryptocurrency wallet data. In the observed PXA Stealer attack chains, the operators used phishing emails for initial access, registry Run keys or scheduled tasks for persistence, and Telegram for command-and-control communications and data exfiltration. Based on the provided content, the known alias/name is PXA Stealer (listed here as pxa).
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.