Dangerous new Linux malware strikes - thousands of users see passwords, personal info stolen, here's what we know

News
By published

PSA Stealer is evolving into a highly capable threat, experts warn

Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat
(Image credit: Shutterstock)
  • A new Linux malware variant offers advanced features and evasion mechanisms
  • It has already infected thousands of devices around the world
  • Passwords, credit card info, and more, at risk

A brand new Linux malware has been found infecting thousands of computers around the world, stealing people’s login credentials, payment information, and browser cookies, security researchers are warning.

SentinelLabs and Beazley Security issued a joint report detailing the activities of PXA Stealer, a new Python-based infostealer for the Linux platform.

It was first spotted in late 2024, and has since grown into a formidable threat, successfully evading defense tools while wreaking havoc across the globe.

Side-loading

Since its inception, PSA Stealer has seen multiple iterations, with the latest one stealing information from roughly 40 browsers - saved passwords, cookies, personally identifiable information (PII), autofill data, authentication tokens, and more.

It can target browser extensions for various crypto wallets, including Exodus, Magic Eden, Crypto.com, and many others, and can pull data from sites such as Coinbase, Kraken, and PayPal. Finally, it can inject a DLL into running browser instances to bypass encryption mechanisms.

PSA Stealer is apparently being distributed through phishing emails and malicious landing pages. The malicious attachments contain a legitimate program (such as a PDF reader) and a weaponized DLL. The program sideloads the DLL, successfully deploying the malware while not raising any alarms.

More than 4,000 computers were infected with PSA Stealer in 62 countries, the two companies said, suggesting that the campaign is rather successful.

However, the attackers - who seem to be of Vietnamese origin - aren’t interested in using the stolen data themselves, and instead are selling it on the black market - in a Telegram group.

The majority of the victims are located in South Korea, the US, the Netherlands, Hungary, and Austria.

"Initially surfacing in late 2024, this threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data," the researchers explained. So far, more than 200,000 were stolen passwords, as well as hundreds of credit card information and more than four million cookies.

Via The Register

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.