Key Insights
- Hackers are now deploying trading bots powered by the PXA Stealer malware via Telegram.
- Victims across 62 countries have had data, including crypto wallet keys, stolen.
- Telegram bots are being used to automate the data theft and resale.
A new wave of cybercrime is spreading fast. This time, it is powered by trading bots, the infostealer malware… and Telegram.
According to researchers from SentinelOne and Beazley Security Labs, a massive data theft operation is currently ongoing and involves Vietnamese-speaking hackers.
The group uses Telegram to automate the resale of stolen information and distribute the PXA Stealer malware internationally.
How Trading Bots and PXA Stealer Work Together
The operation in question spans over 60 countries. It targets both individuals and organisations, and what makes it different from other scam rings is its combination of malware-as-a-service (MaaS) tactics and Telegram bots.
Put simply, the barrier is now low enough for new (and even inexperienced) cybercriminals to join in.
The campaign itself is backed by the infamous PXA Stealer, a Python-based infostealer malware that quietly collects valuable user data.
Once it gets inside a system, it grabs passwords, credit card info, crypto wallet keys, browser cookies, and even screenshots.
It then sends everything directly to the attackers via Telegram.
According to a report from Sentinel Labs, victims often receive ZIP files that resemble legitimate software like Microsoft Word or PDF readers.
Once opened, the files trigger the PXA Stealer program, which then gets to work collecting and compressing stolen data into ZIP files. When this is done, the files are then sent to Telegram bots, which are controlled by hackers.
This method is preferred because it is anonymous and easy to use. It allows hackers to manage large operations with little to no effort.
Telegram as a Command and Control Hub
Telegram is not just a messaging app in this case. It has become a full-blown command and control (also known as C2) centre.
Hackers use it to receive the stolen data in real time and to run bots that automate the resale of the stolen credentials.
They also use the messaging service to communicate with other attackers, as well as sell ZIP malware kits and other infostealer tools.
Sentinel Labs noted that they use Telegram bots like “Sherlock,” “Moon Cloud”, and “Daisy Cloud”. These tools make the stolen data ready for buyers interested in financial fraud, crypto theft or other kinds of infiltration.
The Effects of the Trading Bots Scam
So far, more than 4,000 IP addresses have been identified in the stolen logs. Some of the compromised data includes over 200,000 passwords and hundreds of credit card records.
More than 4 million browser cookies have also been exposed, allowing attackers to hijack online sessions.
They can now bypass passwords entirely and attack victims in countries like the US, South Korea, Austria, and the Netherlands.
In July alone, a new phishing lure, disguised as a Microsoft Word executable, was spotted. This file was designed to bypass antivirus tools and did not include any suspicious links.
This operation is more than a one-off. It’s part of a growing trend, and several hacker groups now collaborate to carry out scams using shared tools and bot networks to increase profits.
Prevention and What You Can Do
SentinelOne researchers warn that the malware is still under active development. This means that new versions are harder to detect, and could even come with new features.
To stay protected, avoid opening ZIP files from unknown sources, do not install software from suspicious links, and monitor all outbound traffic, especially to Telegram domains.
Finally, always use antivirus software that can detect Python-based malware and stay up to date with phishing and ZIP malware risks.
Organisations should also limit the use of Telegram on company systems and monitor any kind of unusual user behaviour.
Leave a comment