New PXA Stealer Malware Targets Banks, Uses Telegram to Exfiltrate Data

The recent uptick in PXA Stealer activity underscores a broader shift in the cyber‑crime ecosystem. As law‑enforcement operations dismantled legacy infostealers such as RedLine and Lumma, threat actors quickly migrated to newer, more adaptable tools. PXA’s focus on the banking sector reflects attackers’ appetite for high‑value credentials and cryptocurrency assets, which can be monetized on underground markets. By leveraging familiar phishing lures—tax documents, legal notices, and even Adobe Photoshop installers—the malware achieves a higher success rate, especially against employees accustomed to handling sensitive documents.

Technically, PXA employs a multi‑layered evasion strategy that complicates traditional endpoint detection. The payload hides in a concealed "Dots" directory, uses the common Windows process name svchost.exe, and stores a decryption password (shodan2201) to unpack its core components. Persistence is achieved through a registry entry that triggers on system boot, while exfiltration is routed through Telegram channels, a platform favored for its encrypted communications and ease of rapid data transfer. This combination of stealth and fast‑moving data theft challenges security teams to monitor not only file signatures but also anomalous network traffic to .xyz or .shop domains often associated with command‑and‑control servers.

For financial institutions, the immediate priority is tightening email hygiene and user awareness. Deploying advanced phishing‑simulation programs, enforcing attachment sandboxing, and restricting the execution of scripts from zip archives can blunt the initial infection vector. Additionally, integrating threat‑intelligence feeds that flag known PXA indicators—such as the "Pumaproject.zip" filename or the "BOT_ID" Verymuchxbot tag—into SIEM platforms enhances early detection. As cyber‑criminals continue to refine their toolsets, banks must adopt a layered defense posture that blends technology, process, and continuous employee education to stay ahead of evolving malware threats.