CyberProof MDR analysts and threat researchers have found that PXA Stealer attacks on banks around the world have increased a lot in the first quarter of 2026 This article explores pxa stealer malware. . These campaigns mostly use phishing emails with bad URLs that start the download of ZIP files that have been hacked.

Threat actors have shown that they can be very flexible by using a wide range of lures, such as fake resumes, Adobe Photoshop installers, tax forms, and legal documents. The attack uses a Microsoft Word document to install a harmless file while also running a number of living-off-the-land binaries (LOLBins) and file operations. When certain websites are visited, the malware steals data and sends it through Telegram. It also stays on the computer by adding a registry run key value.

To find and stop this attack, security teams need to keep an eye out for certain signs and behaviors. It is very important to keep an eye on the execution of script files that are run from temporary folders or email content directories. Cyber Proof Organizations should also stop connections to suspicious top-level domains like .shop, .xyz, .info, and .net, and keep an eye on endpoint alerts that have to do with process injection.

You can read the whole report at http://www.cyberproof.com/news/2026/pxa-stealer-malware-surge-targeting-global-financial-institutions-during-first-quarter-2026-march-of-2027-cyberProof-MDR-Analysts-and-threat-researchers-have-identified-a-significant-survey.