Recently, a large scale malware distribution campaign has attracted strong public attention, highlighting how cybercrime is growing in scale, involving increasingly younger offenders, becoming more sophisticated in execution, and expanding in increasingly unpredictable ways.With over 94,000 computers compromised and data stolen, the malware strain known as PXA Stealer (also known as Vietnamese Stealer) serves as a stark warning about the sophistication and danger of modern cybercrime.

What stands out most is the importance of early detection in addressing a threat like this before risks escalate. Before the campaign became widely recognized, in March 2026, experts at the HPT Cybersecurity Center had already proactively monitored, documented, and technically analyzed this malware strain, providing valuable warnings and insights to help the community and clients strengthen their defensive posture.

What is Vietnamese Stealer? The sophistication hidden behind “Self Taught” code

Vietnamese Stealer is an information-stealing malware (infostealer) developed in Python. It utilizes the Telegram platform as its Command and Control (C&C) channel to exfiltrate sensitive victim data.

Learn more about Vietnamese Stealer and how the malware works

The malware demonstrates superior sophistication through:

•  DLL Sideloading Technique: It exploits legitimate Adobe files to execute malicious code covertly, bypassing basic security layers.

•  Multiple Layers of Obfuscation: It employs up to four complex encryption layers (Base85, Bzip2, Zlib, Marshal) to evade static analysis by traditional security solutions.

•  Diverse Data Theft: It focuses on harvesting browser cookies, stored passwords, cryptocurrency wallet information, and user identification data.

A proactive defense vision from HPT

Before the PXA Stealer campaign came to be widely recognized, HPT’s cybersecurity experts had already proactively monitored and identified a data stealing malware strain known as “Vietnamese Stealer.” Leveraging its in depth analysis capabilities, HPT promptly provided Indicators of Compromise, or IOCs, along with detailed attack workflows, thereby helping the community and clients strengthen their defensive capabilities.

1. Threat Intelligence as a Service (TIaaS): By providing intelligence on emerging threats, TIaaS enables HPT to identify new malware strains like Vietnamese Stealer as soon as they appear on underground forums.

2. SOCaaS (24/7 Security Monitoring): HPT's SOC system continuously monitors for abnormal behavior, immediately detecting suspicious connections to C&C servers via Telegram or malware persistence techniques on client systems.

3. Continuous Pentest: This service helps businesses detect vulnerabilities such as DLL Hijacking—the primary entry point for PXA Stealer—allowing for remediation before exploitation occurs.

4. Artificial Intelligence (AI) Integration: HPT integrates AI into the malware behavior analysis process to unpack complex obfuscation layers that conventional tools cannot handle, ensuring the precise detection of the latest infostealer variants.

Don’t let your business become the next victim

Recent developments in cyberspace show that security threats are becoming increasingly sophisticated and complex. This creates an urgent need for businesses to strengthen their defensive capabilities, rather than only reacting after an incident has already occurred.

Utilizing HPT's Cybersecurity services not only helps clients prevent the risk of financial and identity data loss but also protects the reputation and operational continuity of the organization. With HPT as a partner, businesses can remain confident even against the most sophisticated attack scenarios.