Category: Global Cybercrime / Financial Credential Theft / Messaging Platform Exploitation
Features: Telegram abuse, malware automation, phishing lures, infostealer-as-a-service, data laundering through Cloudflare
Delivery Method: Signed executables disguised as common software; phishing lures without links; Python-based payloads
Threat Actor: Vietnamese-speaking cybercrime groups (Unknown APT affiliation)
Platform Misuse: Telegram, Cloudflare Workers
Telegram is no longer just a chat app. It’s becoming a command center.
Cybercriminals with links to Vietnamese-speaking hacking groups are now running a mass-scale global data theft and resale operation, using Telegram bots, developer infrastructure, and cloud services to silently siphon credentials, cookies, wallet keys, and more from at least 62 countries.
In joint research from Beazley Security Labs and SentinelLabs, analysts revealed that these attackers have deployed a malware strain called PXA Stealer — a Python-based infostealer tool — to target victims across the globe. The tool is automated, rapidly evolving, and tightly integrated with Telegram-based black market resale platforms.
This isn’t just another low-tier malware campaign. It’s a vertically integrated cybercrime operation, where every layer — from infection to monetization — runs on legitimate tools repurposed for exploitation.
PXA STEALER: A DIGITAL HARVESTER
At its core, PXA Stealer is a stealthy harvesting tool designed for data theft at scale. Once embedded into an executable and deployed to a victim’s system, it:
- Exfiltrates saved passwords, login credentials, and credit card details
- Extracts browser cookies — including session tokens that can bypass 2FA
- Hijacks cryptocurrency wallets, both hot and cold
- Collects files from VPNs, cloud apps, Discord, and other software
- Sends the compressed stolen data to Telegram bots, using Cloudflare Workers as an intermediary
Researchers identified over 4,000 unique IPs tied to victim systems and reported that the attackers had amassed:
- 200,000+ passwords
- Hundreds of payment card records
- 4+ million browser cookies
That last figure is especially concerning — cookies often grant persistent session access, meaning even secure accounts can be silently hijacked without a password or MFA prompt.
STEALTH DELIVERY THROUGH FAKE SOFTWARE
Rather than sending suspicious links, the attackers employed linkless phishing tactics — a method that reduces detection by email filters and endpoint detection systems. Lures observed in July 2025 included:
- Fake installers for Microsoft Word 2013
- Fraudulent versions of Haihaisoft PDF Reader
- Signed Word executables embedded with malware — disguised as copyright notices
These files appeared authentic, were often digitally signed, and could bypass traditional malware filters. Once opened, the malware immediately ran in the background, collecting information and exfiltrating it silently through trusted services.
TELEGRAM: THE DARK MARKET HUB
Investigators uncovered several Telegram bots with Vietnamese-language names, all feeding into a central command channel known as @Lonenone — which included a Vietnamese flag emoji and had prior associations with Vietnamese threat actors.
From there, the ecosystem unfolds:
- Stolen data is packaged and indexed
- Telegram-based services like Sherlock, Daisy Cloud, and Moon Cloud automate the resale of credentials
- Cybercriminal subscribers pay for access to this stolen data, using it for fraud, account hijacking, cryptocurrency theft, and more
These are not open channels — they function as private data brokerages, with invite-only access, subscription tiers, and bot-enabled instant delivery.
Telegram’s developer tools, bot integrations, and limited moderation stance have turned it into a safe haven for cybercrime syndicates looking to commercialize stolen information without touching the dark web.
CLOUDFLARE: A DOUBLE-EDGED INFRASTRUCTURE
The attackers also leveraged Cloudflare Workers — a legitimate developer tool that lets coders deploy applications on the edge of the network — to smuggle the stolen ZIP payloads back to their Telegram bots.
This approach gave the hackers multiple advantages:
- Low detectability, since traffic was routed through Cloudflare’s trusted CDN
- High uptime and reliability
- Ability to evade IP blacklists by using temporary worker scripts
Cloudflare reportedly responded immediately after being contacted by researchers, and the malicious infrastructure was dismantled. But the use of Workers as a middleman sets a dangerous precedent — where even developer platforms can become vectors in data laundering pipelines.
FROM MALWARE TO MARKETPLACE — AUTOMATED PROFIT
This operation is not simply about stealing credentials. It’s about turning those credentials into cash — fast, and at scale.
Services like Sherlock and Daisy Cloud act as credential mining SaaS platforms, where subscribers can:
- Browse stolen data by domain, email, or platform
- Purchase bundled credential sets or individual access tokens
- Get automated alerts when new targets (like banking accounts) are available
- Use integrated bot commands to filter for crypto wallets, PayPal logins, or business credentials
The entire process — from exfiltration to resale — is scripted, subscription-based, and fully monetized.
This model mirrors ransomware-as-a-service but applied to credential theft, making even low-level hackers capable of launching financially devastating attacks using someone else’s stolen tools and data.
INCIDENT SNAPSHOT
Malware: PXA Stealer (Python-based infostealer)
Initial Access Method: Phishing via fake software installers (Microsoft Word, Haihaisoft Reader)
Payload Transmission: ZIP files routed through Cloudflare Workers
Command & Control: Telegram bots feeding into private resale marketplaces
Victim Reach: At least 4,000 unique IPs across 62 countries
Total Data Stolen:
- 200,000+ passwords
- 4M+ browser cookies
- Hundreds of credit cards
- Unknown number of crypto wallets and VPN accounts
STRATEGIC ASSESSMENT
| Threat Area | Level | Summary |
|---|---|---|
| Messaging Platform Abuse | 🔴 Active | Telegram now functions as a global credential laundering hub |
| Credential Resale Ecosystem | 🔴 Active | Sophisticated SaaS platforms automate fraud resale |
| Malware Evasion Techniques | 🟠 Elevated | Linkless phishing and signed lures bypass most defenses |
| Vietnamese APT Activity | 🟠 Monitored | Campaign shows operational scale, but state ties not confirmed |
| Cloudflare Developer Exploits | 🟠 Possible | Infrastructure misuse trend likely to expand across dev tools |
TRJ VERDICT
The Vietnamese-speaking hacking syndicate behind this campaign has elevated infostealer operations into a full-blown as-a-service criminal economy. Their use of Telegram as a bot-based exfiltration and resale platform proves what experts have long warned: criminal innovation moves faster than regulatory oversight.
And this is only the surface layer. Beneath every stolen credential is a new breach waiting to happen — one that could compromise banks, businesses, elections, or infrastructure.
The era of isolated credential theft is over. Welcome to the Credential Cartel — a marketplace where your identity isn’t just stolen… it’s indexed, priced, and resold in seconds.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
