Student Malware Ring Infects 94,000 PCs, Generates Billions in Illicit Gains

Severity: High (Score: 67.2)

Sources: E.Vnexpress, Vietnam.Vn, English.Vov.Vn

Summary

On March 25, 2026, Vietnamese authorities reported the dismantling of a malware distribution network led by high school students, which infected over 94,000 computers globally. The primary suspect, identified as N.V.X., began programming in 2023 and developed malware capable of extracting sensitive data from web browsers. The malware, known as 'PXA Stealers,' was designed to steal login cookies and passwords, which were then sold for profit. The group operated through Telegram channels to manage and exploit the stolen data. Authorities estimate that the operation generated tens of billions of Vietnamese dong in illegal revenue. Twelve suspects have been charged with producing and distributing malicious software. The malware was continuously refined to evade detection, indicating a sophisticated operation. The investigation highlights the growing trend of cybercrime involving younger individuals leveraging programming skills for illicit activities. Key Points: • A student-led malware ring infected over 94,000 computers worldwide. • The malware was designed to steal sensitive browser data and bypass security protections. • Authorities have charged 12 individuals involved in the operation with serious cybercrime offenses.

Key Entities

• Malware (attack_type)
• vov.vn (domain)
• Adonis (malware)
• PXA Stealers (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• Telegram (platform)