Recently, Check Point Research (CPR) uncovered a treasure trove of intelligence while investigating Styx Stealer, a potent new malware that can harvest sensitive information from browsers, instant messaging platforms like Telegram and Discord, and cryptocurrency wallets. Styx Stealer, although newly introduced, has already made its presence felt in targeted attacks, including those against Check Point’s customers. However, a critical operational security (OpSec) failure by the malware’s developer turned this dangerous tool into a goldmine of intelligence for cybersecurity experts.
Styx Stealer: A New Evolution in Cyber Theft
Styx Stealer emerged as a fork of the infamous Phemedrone Stealer, which rose to prominence in early 2024. Phemedrone exploited a vulnerability in Microsoft Windows Defender SmartScreen (CVE-2023-36025) to infect systems and steal sensitive data. While Phemedrone was available freely on GitHub before its repository was removed, Styx Stealer has taken a more commercial route, being sold through a subscription model on the website styxcrypter[.]com.
Styx Stealer shares much of Phemedrone’s core functionality, including the ability to steal passwords, cookies, autofill data, and session information from Chromium- and Gecko-based browsers. It extends its reach by pilfering cryptocurrency wallet data and session tokens from popular platforms like Telegram and Discord. Additionally, it can capture system information, such as hardware details and the external IP address of the infected machine, and even take screenshots to help attackers better understand the victim’s environment before launching further attacks.
Despite inheriting these advanced features, Styx Stealer lacks some of the latest enhancements found in modern versions of Phemedrone, such as encrypted reporting and support for advanced exfiltration methods. Nonetheless, the developer of Styx Stealer, known online as Sty1x, added several new features, including:
- Auto-start and persistence mechanisms to ensure the malware is launched at system startup.
- Crypto-clipping functionality, which allows the malware to monitor the clipboard for cryptocurrency wallet addresses and replace them with an attacker-controlled address during transactions.
- Anti-analysis and sandbox evasion techniques, making it difficult for security researchers to analyze and reverse-engineer the malware.
The malware is sold via subscription—$75 per month, $230 for three months, or $350 for a lifetime license—and transactions are conducted through cryptocurrency payments to avoid detection. Prospective buyers must contact the developer directly via the Telegram account @styxencode to arrange a purchase.
A Critical OpSec Failure: The Hacker’s Own Data Leak
In March 2024, CPR first detected Styx Stealer during a broader investigation into a spam campaign distributing Agent Tesla, another malware family used to steal sensitive information via keylogging and other techniques. This campaign targeted companies across various industries, including the metallurgical, glass manufacturing, and ocean freight sectors. The stolen data was exfiltrated through Telegram bots, one of which, @joemmBot, was directly tied to the Styx Stealer developer.
As CPR analysts dissected the malware, they made a pivotal discovery. During the debugging process of Styx Stealer, the developer, Sty1x, inadvertently uploaded a large archive of sensitive data from his own computer to a Telegram bot, including the same bot token used in the Agent Tesla campaign. This OpSec blunder revealed a wealth of information, including:
- Nicknames, email addresses, and phone numbers associated with Sty1x.
- Client details from Styx Stealer’s sales, including the number of customers, profits, and payment information.
- Connection to the Nigerian threat actor Fucosreal, a known participant in the Agent Tesla malware campaign.
In essence, Sty1x unintentionally exposed his entire operation, including his collaboration with Fucosreal. Further analysis of the data showed that Fucosreal had shared a Telegram bot token with Sty1x, allowing the latter to integrate the bot into Styx Stealer for data exfiltration.
Linking Styx Stealer to the Agent Tesla Campaign
The connection between Sty1x and Fucosreal deepened CPR’s understanding of both actors’ roles in cybercrime. The spam campaign distributing Agent Tesla had been actively targeting businesses across China, India, the UAE, and the Philippines. While it initially appeared that Styx Stealer was a separate threat, it soon became clear that the two operations were interconnected.
The Telegram bot token used by @joemmBot was traced back to Fucosreal, a Nigerian cybercriminal involved in several campaigns using Agent Tesla. The connection was confirmed when CPR analysts observed conversations between Sty1x and Fucosreal in which they discussed integrating the bot token into Styx Stealer to facilitate data exfiltration. Further evidence from the Telegram bot logs, screenshots of the malware development environment, and email addresses associated with the two actors painted a clear picture of a collaborative cybercriminal network.
A Cybercriminal’s Trail: Unmasking Sty1x
The wealth of intelligence gathered from Sty1x’s data leak enabled CPR to trace the hacker’s movements and identify key details about his operation. The developer’s OpSec failure revealed:
- Two Telegram accounts, @styxencode and @cobrasupports, linked to Sty1x.
- Phone numbers associated with Sty1x, one of which had a Turkish country code, indicating his location.
- Logins from multiple cities in Turkey, allowing CPR to track his physical movements.
- Payments made to several cryptocurrency wallets controlled by Sty1x.
CPR’s investigation revealed that Styx Stealer had a modest customer base of 54 clients, with total sales reaching approximately $9,500 over a two-month period. The payments were made in Bitcoin, Litecoin, Tron, and Monero, further complicating the financial trail for law enforcement.
The Technical Mechanics of Styx Stealer
At its core, Styx Stealer borrows much of its functionality from Phemedrone Stealer. Key features include:
- Credential theft: The malware harvests saved passwords, cookies, and autofill data from Chromium- and Gecko-based browsers.
- Cryptocurrency wallet theft: Styx Stealer targets popular wallets, including Armory, Coinomi, and Exodus, by scanning system files for wallet-related information.
- Clipboard monitoring: The malware continuously checks clipboard content for cryptocurrency wallet addresses, replacing them with an attacker-controlled address during transactions.
- Anti-analysis mechanisms: The malware terminates processes associated with Wireshark, HTTP Debugger, and other analysis tools. It also employs basic virtual machine (VM) detection by checking GPU strings for signs of hypervisors like VMware and VirtualBox.
Despite its sophistication, Styx Stealer lacks some advanced features found in newer Phemedrone variants, such as password tagging and FileZilla data extraction, suggesting that Sty1x may not have access to the latest source code.
OpSec Failure: A Lesson in Cybersecurity
The tale of Styx Stealer underscores a vital truth in the cybersecurity world: no matter how advanced a cybercriminal’s tools may be, poor operational security can unravel even the most secretive operations. The developer’s decision to debug malware on his own computer, coupled with the use of a Telegram bot provided by a known criminal, exposed a vast amount of sensitive information about his operation. This misstep allowed CPR to unmask not only Sty1x but also his collaborator, Fucosreal, and their broader criminal network.
Check Point’s advanced security tools, including Threat Emulation and Harmony Endpoint, offer comprehensive protection against these types of threats. With capabilities designed to detect and block spyware, info-stealers like Styx Stealer, and campaigns like Agent Tesla, organizations can stay ahead of evolving cybercriminal tactics.