- A new Linux malware variant offers advanced features and evasion mechanisms
- It has already infected thousands of devices around the world
- Passwords, credit card info, and more, at risk
A brand new Linux malware has been found infecting thousands of computers around the world, stealing people’s login credentials, payment information, and browser cookies, security researchers are warning.
SentinelLabs and Beazley Security issued a joint report detailing the activities of PXA Stealer, a new Python-based infostealer for the Linux platform.
It was first spotted in late 2024, and has since grown into a formidable threat, successfully evading defense tools while wreaking havoc across the globe.
Side-loading
Since its inception, PSA Stealer has seen multiple iterations, with the latest one stealing information from roughly 40 browsers – saved passwords, cookies, personally identifiable information (PII), autofill data, authentication tokens, and more.
It can target browser extensions for various crypto wallets, including Exodus, Magic Eden, Crypto.com, and many others, and can pull data from sites such as Coinbase, Kraken, and PayPal. Finally, it can inject a DLL into running browser instances to bypass encryption mechanisms.
PSA Stealer is apparently being distributed through phishing emails and malicious landing pages. The malicious attachments contain a legitimate program (such as a PDF reader) and a weaponized DLL. The program sideloads the DLL, successfully deploying the malware while not raising any alarms.
More than 4,000 computers were infected with PSA Stealer in 62 countries, the two companies said, suggesting that the campaign is rather successful.
However, the attackers – who seem to be of Vietnamese origin – aren’t interested in using the stolen data themselves, and instead are selling it on the black market – in a Telegram group.
The majority of the victims are located in South Korea, the US, the Netherlands, Hungary, and Austria.
“Initially surfacing in late 2024, this threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data,” the researchers explained. So far, more than 200,000 were stolen passwords, as well as hundreds of credit card information and more than four million cookies.
Via The Register
You might also like
- Hackers hit SAP security bug to send out nasty Linux malware
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
![[Aggregator] Downloaded image for imported item #26539](https://kcmicro.com/wp-content/uploads/2025/08/RVj9UaDvw5MKobyrDh4bsR-1280-80-800x500.jpg "[Aggregator] Downloaded image for imported item #26539")
![[Aggregator] Downloaded image for imported item #26542](https://kcmicro.com/wp-content/uploads/2025/08/qBYKunQfbbd6hVqhnsT59D-1280-80-800x500.jpg "[Aggregator] Downloaded image for imported item #26542")
![[Aggregator] Downloaded image for imported item #26485](https://kcmicro.com/wp-content/uploads/2025/08/HwbEPZXsXDLa9xLeB5HVrA-1280-80-800x500.jpg "[Aggregator] Downloaded image for imported item #26485")