What is PXA Stealer

PXA Stealer is a sophisticated type of malware specifically designed to extract sensitive information from infected systems. Written in Python, this stealer targets a range of data, including login credentials, credit card numbers, and cryptocurrency wallet information. Originating from a Vietnamese-speaking threat actor, it has been used in attacks targeting educational institutions in India and government organizations in Europe. The malware typically spreads through spam emails containing malicious attachments that execute scripts to download and run the stealer. Once installed, it employs advanced obfuscation techniques to evade detection and terminate processes related to security software, browsers, and communication tools. PXA Stealer further extends its reach by targeting data stored in browsers, password managers, and various client applications. The extracted information is often sold on platforms like Telegram, posing significant privacy and financial risks to victims.

PXA Stealer

How PXA Stealer infected your system

PXA Stealer infiltrates computers primarily through phishing and social engineering tactics, often leveraging email spam campaigns. These emails typically contain malicious attachments, such as ZIP archives, which, when opened, drop batch scripts and a loader-type malware written in Rust. Once executed, these scripts establish a connection to a payload-hosting website, downloading the PXA Stealer along with an anti-virus evader script. The infection process is sophisticated, utilizing obfuscation techniques and PowerShell commands to execute decoy documents, often in the form of seemingly legitimate PDFs. The stealer then targets a range of applications and processes, extracting sensitive data like login credentials and financial information. This malware’s ability to remain undetected while systematically collecting and transmitting data highlights the importance of vigilance and robust cybersecurity measures.

  1. Download PXA Stealer Removal Tool
  2. Use Windows Malicious Software Removal Tool to remove PXA Stealer
  3. Use Autoruns to remove PXA Stealer
  4. Files, folders and registry keys of PXA Stealer
  5. Other aliases of PXA Stealer
  6. How to protect from threats, like PXA Stealer

Download Removal Tool

Download Removal Tool

To remove PXA Stealer completely, we recommend you to use SpyHunter 5. It can help you remove files, folders, and registry keys of PXA Stealer and provides active protection from viruses, trojans, backdoors. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.

Download Alternative Removal Tool

Download Norton Antivirus

To remove PXA Stealer completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of PXA Stealer and several millions of other malware, like viruses, trojans, backdoors.

Remove PXA Stealer manually

Manual removal of PXA Stealer by inexperienced users may become a difficult task because it does not create entries in Add/Remove Programs under Control Panel, does not install browser extensions, and uses random file names. However, there are pre-installed instruments in the Windows system, that allow you to detect and remove malware without using third-party applications. One of them is Windows Malicious Software Removal Tool. It comes with Windows Update in Windows 11, 10, 8. 8.1. For older operating system you can download it here: 64-bit version | 32-bit version.

Remove PXA Stealer using Windows Malicious Software Removal Tool

  1. Type mrt in the search box near Start Menu.
  2. Run mrt clicking on found item.
  3. Click Next button.
  4. Choose one of the scan modes Quick scan, Full scan, Customize scan (Full scan recommended).
  5. Click Next button.
  6. Click on View detailed results of the scan link to view the scan details.
  7. Click Finish button.

Remove PXA Stealer using Autoruns

PXA Stealer often sets up to run at Windows startup as an Autorun entry or Scheduled task.

  1. Download Autoruns using this link.
  2. Extract the archive and run Autoruns.exe file.
  3. In Options menu make sure there are checkboxes near Hide Empty Locations, Hide Microsoft Entries, and Hide Windows Entries.
  4. Search for suspicious entries with weird names or running from locations like: C:\{username}\AppData\Roaming.
  5. Right-click on suspicious entry and choose Delete. This will prevent the threat to run at startup.
  6. Switch to Scheduled Tasks tab and do the same.
  7. To remove files themselves, click on suspicious entries and choose Jump to Entry…. Remove files or registry keys found.

Remove files, folder and registry keys of PXA Stealer

PXA Stealer files and folders


{randomname}.exe

PXA Stealer registry keys


no information

Aliases of PXA Stealer

no information

How to protect from threats, like PXA Stealer, in future

bitdefender internet security

Standard Windows protection or any decent third-party antivirus (Norton, Avast, Kaspersky) should be able to detect and remove PXA Stealer. However, if you got infected with PXA Stealer with existing and updated security software, you may consider changing it. To feel safe and protect your PC from PXA Stealer on all levels (browser, e-mail attachments, Word or Excel scripts, file system) we recommend a leading provider of internet security solutions – BitDefender. Its solutions both for home and business users proved to be one of the most advanced and effective. Choose and get your BitDefender protection via the button below:

Download BitDefender
Previous articleHow to remove Thi-tl-310-b.buzz pop-up ads
Next articleHow to remove Safetydefender.top pop-up ads
James Kramer
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here