Recently cybersecurity researchers at Check Point discovered a new malware dubbed “Styx Stealer,” capable of stealing browser and instant messenger data.
Threat actors often exploit stealers, enabling them to secretly gather sensitive information from the compromised systems.
While the types of information they steal via stealers include personal credentials, financial data, and passwords.
The stolen data can be used later in other attacks, identity theft, or sold on the black market for money, which means that stealers play an important role in cybercrime.
Technical Analysis
A highly sophisticated malware called Styx Stealer was first noticed on the internet in April 2024 and is based on Phemedrone Stealer, but it introduces some significant improvements.
It targets Chromium and Gecko-based browsers to steal saved passwords, cookies, auto-fill data, and cryptocurrency wallet information.
Malware also tampers with Telegram and Discord sessions, compiles system data as well as takes screenshots.
Auto-start functionality, real-time clipboard monitoring, and crypto-clipping capabilities are among its key features that go beyond those of its predecessor, it can also resist analysis by anti-virus programs and sandboxes.
Styx Stealer was designed by a Turkish cybercriminal who goes by the name “Sty1x” and is sold via Telegram or a dedicated website at prices ranging from $75 per month to $350 for unlimited access.
Through forensic analysis, it was discovered that Sty1x was working with a Nigerian actor who was operating under the Fucosreal and Mack_Sant aliases on another occasion when Agent Tesla malware was used.
The operation mainly focused on Chinese firms dealing with different areas such as metallurgy, transportation, and production.
An operational security lapse revealed Sty1x’s development work, personal data and the intricate connections within the cybercriminal ecosystem which untwisted the complicated networks of international internet criminals.
Sty1x developed Styx Stealer, a malware derived from an older version of Phemedrone Stealer, enhancing it with a crypto-clipper, improved anti-analysis techniques, and a configurable builder with a graphical interface.
He inadvertently exposed his operation by debugging the stealer using a Telegram bot token provided by @Mack_Sant (alias Fucosreal), who was connected to an Agent Tesla campaign.
This critical operational security lapse revealed their identities, email addresses, and cybercriminal networks.
Sty1x marketed Styx Stealer and Styx Crypter via Telegram (@styxencode), accepting payments in Bitcoin, Litecoin, Tron USDT, and Monero.
The analysis uncovered 54 customers and approximately $9,500 in revenue over a two-month period across eight identified cryptocurrency wallets.
The Styx Stealer’s practicality comprises utilizing anti-VM and geo-blocking techniques to avoid CIS countries’ detection while stealing browser details, cryptocurrency wallet data, and system information.
However, the inquiry also highlighted other cyber-criminal activities that may have featured Sty1x through the use of Umbral Stealer as well as hacking into websites.
Besides this, all these sales, and their effort to broadly distribute Styx Stealer were unsuccessful as there are no confirmed victims apart from their own systems and several security sandboxes.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access