🇦🇷 AR4 malware families

Lawxsz

Also known aslawxsz

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Banks
Financial Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics26 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

TA0004

Privilege Escalation

1 technique

T1055

Process Injection

TA0005

Stealth

4 techniques

T1055

Process Injection

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1620

Reflective Code Loading

T1622

Debugger Evasion

TA0006

Credential Access

4 techniques

T1528

Steal Application Access Token

T1539

Steal Web Session Cookie

T1555×2

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

5 techniques

T1012

Query Registry

T1057

Process Discovery

T1082

System Information Discovery

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1622

Debugger Evasion

TA0009

Collection

3 techniques

T1005

Data from Local System

T1113

Screen Capture

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

2 techniques

T1071

Application Layer Protocol

T1568

Dynamic Resolution

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Packit StealerLawxsz is an Argentinian threat actor and malware author responsible for developing and distributing a portfolio of stealers and remote access tools, including: Prysmax Stealer Valkyrie Stealer Packit Stealer1May 24, 2026

Prysmax StealerLawxsz is an Argentinian threat actor and malware author responsible for developing and distributing a portfolio of stealers and remote access tools, including: Prysmax Stealer Valkyrie Stealer Packit Stealer1May 24, 2026

SherlockBeyond his own products, he has also brokered access to large-scale credential aggregation tooling, including a December 2023 sale of a tool he referred to as Sherlock, advertised as containing millions of records, thousands of databases, and over 100 APIs including IntelX, supporting username, password, email, and URL-based lookups.1May 24, 2026

Valkyrie StealerThe first part, published at dexpose.io, covered a deep technical reverse engineering of the Valkyrie Stealer, analyzing its capabilities, evasion techniques, and operator profile.1May 24, 2026

IOCS

Observables

9 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

9 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

malware newsNews

May 24, 2026

Unmasking Lawxsz: Attributing the Developer Behind Valkyrie and Prysmax Stealers - Malware News - Malware Analysis, News and Indicators

Develops and distributes stealers and RATs, including Valkyrie and Prysmax, and acts as a cybercrime facilitator involved in selling FUD malware, trading stolen credit card data and BINs, commissioning phishing kits, trading Argentine DNI data, and brokering credential aggregation tooling.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping22

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables9

Domains, IPs, and hashes tied to this actor, refreshed continuously.

Lawxsz

Know when an actor pivots toward your sector

Targeting

Who they target

Where they're from

Tradecraft

Associated malware families

Observables

Domains

hash.sha256

Email addresses

uri

Recent activity

The version that knows your environment.