A PXA Stealer campaign that works through LinkedIn interactions has been found to be active, targeting jobseekers in the US, Sweden, Bangladesh, India, and the Netherlands.
LinkedIn is popular among recruiters, and for jobseekers, its ease of use and semi-automatic application options make it an attractive place to look for work. Features like CV/resumé storage and ‘Easy Apply’ options mean it’s relatively simple to fire off several dozen job applications in a couple of hours. Receiving a response from an ’employer’, therefore, is easily acted on without much fact-checking by the would-be employee.
In the latest malware incident, users get contacted about possible employment and are directed to a Google Form, from where they’re taken by shortened URL to an archive on Dropbox. Using household name services increases the level of trust the victim places in the process, researchers state.
Materials pertaining to the bogus role are then downloaded from Dropbox and are executed on the victim’s Windows operating system. The malware loads an artificially-enlarged DLL file which replaces a legitimate component of the OS. Of the security platforms that a user might have installed on their computer, some skip the inspection of large files to prevent the machine from being slowed down by troublesomely-lengthy file scans.
A now-running batch script extracts further components into a directory that mimics a directory path used by the OS-mandated Microsoft Edge browser, and persisted via a scheduled task that’s named to resemble one of the updates which habitually and commonly run outside of user control on Windows. Rather than the payload being written to disk (which can trigger alerts from security platforms), the Python code’s core logic is executed in-memory.
Command and control infrastructure is retrieved from a Telegram channel, which then exfiltrates data to a server over encrypted TLS. Data taken includes browser credentials, session cookies (the persistence of which can bypass MFA), cryptocurrency wallets, hardware wallet data, and authentication tokens.
Once a LinkedIn account is compromised, the malware distributes itself, via sending similar messages on LinkedIn to the original victim’s contacts.
PXA Stealer was first documented in late 2024, when it used direct phishing and much simpler Telegram-based exfiltration. By mid-2025, authors had added various layers of obfuscation, command and control mechanisms, and the in-memory execution element. Vietnamese authorities have linked the most recent PXA Stealer campaign to a criminal group in the country, stating there are likely to have been tens of thousands of compromised systems.
Guidance for LinkedIn users
Users should treat messages on LinkedIn with caution, even when they originate from known contacts (who may have been infected). Verification of the existence of any potential role existence should occur outside LinkedIn. The ease with which malware actors can create websites representing bogus employers should be noted.
No job offer should involve the download or execution of files. A legitimate recruiter should not require this.
Apparently common platforms such as Google and Dropbox are not a mark of trustworthiness. The presence of an apparently trusted domain does not indicate safety.
It’s worth LinkedIn users to regularly review any active sessions via LinkedIn settings, and terminating any sessions that seem unfamiliar. Logins from distant or anomalous locations should be treated as indicators that an account has been compromised.
Multi-factor authentication using a hardware security key should be used wherever possible – this won’t prevent session hijacking, but it reduces the likelihood of compromised credentials. LinkedIn supports software passkeys.
If compromise is suspected, users should reset LinkedIn passwords and revoke all sessions.
Guidance for recruiters
Provide a verifiable organisational identity that can be checked outside LinkedIn without relying on redirects or shortened URLs. Include named contacts, corporate email addresses, and offer routes for independent confirmation.
Do not require candidates to download files at any stage. A clear statement in a job posting that no downloads will be requested during screening will create more legitimacy.
Do not use intermediary services that obscure a role’s provenance.
(Image source: “Pickets protest unemployment policies in Scranton, March 15, 1964.” by Kheel Center, Cornell University Library is licensed under CC BY 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by/2.0)
Find out more about the Digital Marketing World Forum series and register here.
