The 'Ghost in the Zip' campaign involves the deployment of a Python-based infostealer malware known as PXA Stealer, first identified in late 2024. This malware is designed to harvest sensitive user information such as passwords, credit card details, and browser cookies from infected systems. The campaign has been observed targeting over 4,000 unique IP addresses across 62 countries, with notable concentration in South Korea, the United States, and the Netherlands. The PXA Stealer employs advanced anti-analysis techniques to evade detection and analysis, making it more resilient against traditional security controls. Furthermore, its command-and-control (C2) infrastructure is hardened, enhancing the malware's persistence and operational security. A distinctive feature of this campaign is its integration with Telegram's API, which facilitates a subscription-based underground ecosystem for automated resale and monetization of stolen data. This approach leverages legitimate infrastructure (Telegram) to conduct illicit activities, complicating detection and takedown efforts. The threat actors behind this campaign are linked to Vietnamese-speaking cybercriminal groups, indicating a potentially organized and regionally focused operation. The campaign's tactics include credential harvesting, data theft, and the use of obfuscation and anti-forensic methods, as indicated by the associated MITRE ATT&CK techniques such as T1056.001 (Input Capture), T1036.005 (Masquerading), T1573.001 (Encrypted Channel), and T1027 (Obfuscated Files or Information). Overall, this campaign exemplifies the evolving sophistication of infostealer malware and the increasing use of legitimate platforms for cybercrime monetization.

For European organizations, the PXA Stealer campaign poses significant risks primarily through the compromise of user credentials and financial information. The theft of passwords and browser cookies can lead to unauthorized access to corporate accounts, email systems, and financial platforms, potentially resulting in data breaches, financial fraud, and identity theft. The use of Telegram's API for data resale increases the speed and scale at which stolen information can be distributed and exploited, amplifying the threat's impact. European businesses with employees who use personal devices or have weak endpoint security controls are particularly vulnerable. Additionally, sectors handling sensitive customer data, such as financial services, e-commerce, and healthcare, face heightened risks of reputational damage and regulatory penalties under GDPR if breaches occur. The campaign's anti-analysis features may delay detection and response, allowing attackers prolonged access to compromised systems. Although the campaign currently does not report widespread exploitation in Europe, the presence of the Netherlands among the top targeted countries signals a direct threat to European entities. The use of Python-based malware also suggests potential cross-platform capabilities, increasing the scope of affected systems within European organizations.

European organizations should implement multi-layered defenses tailored to counter infostealer threats like PXA Stealer. Specific recommendations include: 1) Deploy endpoint detection and response (EDR) solutions capable of detecting obfuscated Python scripts and monitoring suspicious process behaviors, including input capture and masquerading techniques. 2) Enforce strict application control policies to prevent execution of unauthorized scripts and binaries, especially those downloaded from email attachments or untrusted sources. 3) Monitor network traffic for unusual encrypted channels and anomalous communications with Telegram API endpoints, leveraging threat intelligence feeds to identify indicators of compromise. 4) Educate employees about phishing and social engineering tactics that may deliver such malware, emphasizing the risks of opening unsolicited attachments or links. 5) Implement robust credential hygiene practices, including multi-factor authentication (MFA) across all critical systems to reduce the impact of stolen credentials. 6) Regularly audit and restrict permissions for browser extensions and cookie access to minimize data exposure. 7) Establish incident response playbooks specifically addressing infostealer infections and data exfiltration scenarios, ensuring rapid containment and forensic analysis. 8) Collaborate with local cybersecurity authorities and share threat intelligence to stay updated on emerging variants and attack patterns related to PXA Stealer.