A suspected developer behind the recently emerged malware known as Styx Stealer has made a significant operational security (OPSEC) mistake, leading to the exposure of critical data, including information about clients and earnings. This slip-up was noticed by researchers at the Israel-based cybersecurity firm Check Point, which has been closely analyzing the malware.
“The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” the researchers said in a report.
Styx Stealer appears to be based on Phemedrone Stealer, a malware strain that came to light in early 2024 following the exploitation of the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. Phemedrone was initially available for free on GitHub, but after the repository and associated accounts were taken down, several forks of the malware emerged. Among these was Styx Stealer, which quickly became a commercial product.
Styx Stealer is capable of exfiltrating saved passwords, cookies, and auto-fill data from various Chromium- and Gecko-based browsers. It can also extract data from browser extensions, cryptocurrency wallets, and Telegram and Discord sessions. Additionally, it gathers system information, including hardware specs and external IP addresses, and takes screenshots to better understand the target environment.
Check Point’s analysis suggests that Styx Stealer is likely build upon an older version of Phemedrone Stealer, which lacks some of the more advanced features found in newer variants, such as encrypted reporting and direct Telegram integration. However, the developer of Styx Stealer has introduced several enhancements, including auto-start functionality, a clipboard monitor and crypto-clipper, improved sandbox evasion, and additional anti-analysis techniques. The developer also re-implemented the ability to send stolen data to Telegram.
The first advertisements for Styx Stealer appeared in April 2024. Unlike the original Phemedrone Stealer, which was free, Styx Stealer is available through a subscription model - $75 for a monthly license, $230 for three months, and $350 for a lifetime subscription. Notably, the website does not offer direct purchase options, requiring potential buyers to contact the seller via a Telegram account.
The identity of the Styx Stealer developer came to light due to an OPSEC failure. The developer inadvertently leaked personal details, including Telegram accounts, emails, and other contacts, by debugging the stealer on his own computer using a Telegram bot token provided by a customer involved in a spam campaign. The campaign, which occurred in March 2024, was linked to an Agent Tesla threat actor known as FucosReal.
Agent Tesla, a notorious remote access malware, has been targeting Windows systems since 2014, and the involvement of its actors in the distribution of Styx Stealer suggests a broader cybercrime collaboration.
