A newly identified Python-based malware known as PXA Stealer has been observed as part of a widespread cybercriminal campaign that has stolen sensitive data from victims in more than 60 countries.
The operation, called “Ghost in the Zip” by security researchers, has been tracked by SentinelLabs and Beazley Security since late 2024 and shows a marked evolution in how information stealers are developed and deployed.
Telegram Bots and Signed Apps Enable Stealth
The malware is distributed through archive files disguised as PNG or PDF documents, often bundled with decoy files to distract users and analysts.
These malicious archives sideload PXA Stealer through legitimate, signed software such as Haihaisoft PDF Reader and older versions of Microsoft Word.
Once deployed, the stealer exfiltrates data using a Telegram-based command-and-control (C2) system and relays information through Cloudflare Workers.
The campaign targets several data types, including saved passwords, browser cookies, session tokens, autofill data, cryptocurrency wallets and system metadata. Stolen data is compressed into ZIP archives before being sent to attacker-controlled channels for storage and resale.
Key Findings from Ghost in the Zip
According to an advisory published by SentinelLabs earlier today, the PXA Stealer campaign reflects a growing trend toward modular, cloud-integrated malware operations that prioritize stealth and scalability.
By combining sideloading techniques with trusted applications and abusing widely used cloud platforms, attackers have extended the malware’s reach while making it harder to detect.
SentinelLabs’ analysis of the operation reveals several notable technical and operational characteristics:
-
More than 4000 unique victim IPs have been identified
-
At least 62 countries have been affected, including the US, the Republic of Korea and the Netherlands
-
Malicious code is often delivered via signed and trusted applications
-
Infrastructure abuse includes Telegram, Cloudflare Workers and Dropbox
-
A Python payload disguises itself as “svchost.exe” for stealth
Read more on sideloading and infrastructure abuse in modern malware campaigns: New Phishing Attack Combines Vishing and DLL Sideloading Techniques
The threat has also been integrated into Telegram-powered marketplaces, where access to stolen data is resold as part of a criminal subscription model. These platforms automate much of the data handling and monetization, reducing the technical burden on threat actors while expanding reach and speed.
Modern Malware-as-a-Service in Action
A wave of attacks observed in July 2025, in particular, demonstrates new levels of sophistication, SentinelLabs said.
Delayed execution, signed software and renamed binaries all contribute to a malware profile that is difficult to detect using standard tools. As data theft becomes more industrialized, this campaign highlights how malware is increasingly supported by full-service ecosystems that include distribution, data handling and monetization.
“The evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined their deployment chains, making them increasingly more challenging to detect and analyze,” SentinelLabs said.
“PXA Stealer, and the threat actors behind it, continue to feed the greater infostealer ecosystem.”
Defenders must now focus not just on stopping code, but on disrupting the infrastructure and economic models that sustain these operations.
No tags.
