In this next part of the “Hunting Infostealers” series, we’ll cover Python information stealers. The proliferation of Python stealers over the past year has become an escalating concern in the cybersecurity landscape. This gravitation towards Python is largely driven by the ease of use of the language and the availability of tools and frameworks which allow for quick development, even for individuals with limited knowledge of coding. Typically, Python infostealers are distributed via phishing emails to infiltrate systems. The sensitive information they collect includes, but is not limited to login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data. To evade detection, threat actors utilize legitimate services such as Telegram for command-and-control communications, obfuscate their code, and use signed and living off the land binaries. Due to the growing threat of Python-based infostealers, it is important that organizations protect their environment by being aware of the tactics, techniques, and procedures used by the threat actors who deploy this type of malware.

One of the most notable Python-based infostealers seen in 2025 was PXA Stealer. It harvests sensitive data from infected systems such as login credentials, financial information, and browser data. It is linked to Vietnamese-speaking threat actors who target government and education entities. It is primarily delivered via phishing campaigns that use social engineering to trick users into downloading malicious files onto their computer. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers operating without borders.

PXA Stealer: Campaign 1

In October 2025, Microsoft Defender Experts (DEX) identified a campaign involving PXA Stealer. The attack begins with a phishing email with a malicious URL. Some of the observed URLs contained in the emails were hxxp://concursal[.]macquet[.]de/uid_page=244739642061129 and hxxps://tickets[.]pfoten-prinz[.]de/uid_page=118759991475831. The URLs have the same format, but with different domain names and values for the uid_page key. When the user clicks the URL, they are taken to a blank web page that contains JavaScript to download a ZIP file from a remote location, such as allecos[.]de, once the page is fully loaded. The files contained in the ZIP file that are used to execute the next payload include an executable (renamed WinWord.exe) masquerading as a Word document with the same name as the ZIP file, a malicious DLL named msvcr100.dll, and several files used in a series of commands concatenated with “&&” that ultimately execute an obfuscated Python script that loads PXA Stealer and PureRAT. When the renamed WinWord.exe file is executed, msvcr100.dll is sideloaded which leads to the execution of the concatenated command line via cmd.exe. The command line does the following: opens a benign decoy Word document to delay the users’ suspicion and sandbox analysis, uses certutil.exe to decode a base64-encoded blob hidden in DA 성형외과 재무 보고서.pdf which results in a ZIP file named Invoice.pdf (contains Python environment, renamed Python interpreter named svchost.exe, and an obfuscated Python script named images.png), uses another file named images.png (renamed WinRAR.exe) to extract the contents of Invoice.pdf, deletes Invoices.pdf and the renamed WinRAR file, then uses svchost.exe (renamed pythonw.exe) to execute images.png with a Telegram bot identifier that’s used to fetch and execute the next payload. When images.png is executed, it creates a Registry Run key named Windows Update Service to re-execute itself when the user logs in. The script downloads PXA Stealer from urlvanish[.]com (URL shortener), which redirects to bagumedios[.]cloud, then executes the infostealer in its memory space.

Before collecting information, the stealer downloads a DLL from Dropbox. The DLL is injected into a Chrome process to bypass Chrome’s App-Bound Encryption (ABE) so sensitive browser information can be stolen. After that, it collects the installed AV products and browser information such as login credentials, cookies, autofill data, and credit card information. That information is archived into a ZIP file with a file name that follows the format "[CountryCode_IPAddress] ComputerName.zip", then it’s exfiltrated using Telegram.

Once the exfiltration is complete, images.png downloads another payload from hxxps://bagumedios[.]cloud/assets/media/others/ADN/pure and injects it into cvtres.exe. The payload is a commercially available remote access trojan named PureRAT which proceeds to connect to its command-and-control (C2) server 157.66.27[.]11 (located in Vietnam) over port 56001 after injection. After that, cvtres.exe uses WMI to collect installed AV products, connected cameras, and the Windows OS version. It sends the collected information to its C2 server.

PXA Stealer (Campaign 1) Attack Chain

PXA Stealer: Campaign 2

In late December 2025, DEX identified another PXA Stealer campaign. This attack also begins with a phishing email that delivers a ZIP archive that masquerades as a PDF, image, or Word document.  Some similar TTPs were noted for the second campaign where the use of Living Off-the Land Binaries (LOLBINs) was invoked, such as certutil.exe. The Certutil application is a native Windows application that allows for displaying Certification Authority (CA) configuration information, configure Certificate Services, and backup and restore CA components. The program also verifies certificates, key pairs, and certificate chains.

The capability used in Campaign 2 used the decode parameter in Certutil on an encoded PDF. The decoded PDF was then presented to an application with a file extension of “.png”.  Further investigation of this application identified command line behavior typical to that of a WinRAR, with a password protected ZIP archive.  This obfuscation allowed the application to continue to perform un-archiving steps, ultimately leading to python modules being loaded on the device. Once the Python modules were available, additional activity such as scheduled tasks were created paving the way for update scripts to be deployed on affected hosts. Communication to C2 infrastructure was then initiated through the svchost (Python interpreter) process to connect and transmit data to the attacker via hxxp://195.24.236[.]116/recover/getlink?id=sunset and hxxp://195.24.236[.]116/recover/links/sunset.txt

PXA Stealer (Campaign 2) Attack Chain

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of the Python‑based infostealers discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Organizations can follow these recommendations to mitigate threats associated with this threat:            

Strengthen user awareness & execution safeguards

• Educate users on social‑engineering lures, such as phishing emails.

Control outbound traffic & staging behavior

• Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for Python‑based stealer campaigns.
• Detect transient creation of ZIP archives under ephemeral directories, followed by outbound exfiltration attempts.
• Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources.

Protect against Python‑based stealers

• Harden endpoint defenses around LOLBIN abuse, such as certutil.exe decoding malicious payloads.
• Evaluate abnormal activity involving known processes and files with suspicious file extensions, such as a Python interpreter masquerading as svchost.exe executing a Python script disguised as a PNG file.

Microsoft also recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions.
• Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors:

o   Block execution of potentially obfuscated scripts

o   Block executable files from running unless they meet a prevalence, age, or trusted list criterion

o   Block JavaScript or VBScript from launching downloaded executable content

Microsoft Defender XDR detections   

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR Threat analytics 

• Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
• From Custom Scripts to Commodity RATs: A Threat Actor’s Evolution to PureRAT

Hunting queries 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Use the following queries to identify activity related to PXA Stealer: Campaign 1

// Identify activity initiated by renamed python binary
DeviceProcessEvents
| where InitiatingProcessFileName endswith "svchost.exe"
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe"

// Identify network connections initiated by renamed python binary
DeviceNetworkEvents
| where InitiatingProcessFileName endswith "svchost.exe"
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe"

Use the following queries to identify activity related to PXA Stealer: Campaign 2

// Identify malicious Process Execution activity
DeviceProcessEvents
| where ProcessCommandLine  has_all ("-y","x",@"C:","Users","Public", ".pdf") and ProcessCommandLine  has_any (".jpg",".png")

// Identify suspicious process injection activity
DeviceProcessEvents
 | where FileName == "cvtres.exe"
 | where InitiatingProcessFileName has "svchost.exe"
 | where InitiatingProcessFolderPath !contains "system32"

Indicators of compromise

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

References

A Vietnamese threat actor's shift from PXA Stealer to PureRAT | Huntress

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | SentinelOne

Information-Stealing Malware Distribution Campaign Using Emails Disguised as Copyright Infringement Notices – wizSafe Security Signal -Guideposts to Safety and Security- IIJ

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.