Styx Stealer
Cybersecurity researchers have reported concerning a newly discovered, highly potent attack from a known threat actor. This malware, which targets Windows users, is designed to steal a wide range of data, including browser cookies, security credentials, and instant messages. While the core malware has been seen before, this latest version has been upgraded to more effectively drain cryptocurrency wallets.
The malware is an evolved version of the Phemedrone Stealer, which gained attention earlier this year. It exploits a vulnerability in Microsoft Windows Defender, allowing it to run scripts on affected PCs without triggering security alerts.
The new variant, dubbed the Styx Stealer, is reportedly linked to the Fucosreal threat actor, who is associated with Agent Tesla—a Windows Remote Access Trojan (RAT) often sold as Malware-as-a-Service (MaaS). Once a PC is infected, more harmful software can be installed, potentially leading to ransomware attacks.
The Styx Stealer is available for rent at $75 per month, with a lifetime license priced at $350. The malware is still being actively sold online, and anyone can purchase it. The creator of the Styx Stealer is believed to be active on Telegram, responding to messages and developing another product, Styx Crypter, which helps evade anti-malware detection. As a result, Styx Stealer remains a significant threat to users worldwide.
The malware doesn't just target Chrome; it also compromises all Chromium-based browsers, such as Edge, Opera, and Yandex, as well as Gecko-based browsers like Firefox, Tor Browser and SeaMonkey.
The latest version of Styx Stealer introduces new features for harvesting cryptocurrency. Unlike its predecessor, Phemedrone Stealer, this version includes a crypto-clipping function that operates autonomously without needing a Command-and-Control (C2) server. At the same time, the malware is installed on the victim's machine.
These enhancements make the malware more effective at silently stealing cryptocurrency in the background. It monitors the clipboard in a continuous loop, typically at two millisecond intervals. When the clipboard content changes, the crypto-clipper function activates, replacing the original wallet address with the attacker's address. The crypto-clipper can recognize 9 different regex patterns for wallet addresses across various blockchains, including BTC, ETH, XMR, XLM, XRP, LTC, NEC, BCH and DASH.
To safeguard its operation, the Styx Stealer employs additional defenses when the crypto-clipper is enabled. These include anti-debugging and anti-analysis techniques, with checks performed only once when the stealer is launched. The malware includes a detailed list of processes associated with debugging and analysis tools and terminates them if detected.
Investigators also identified targeted industries and regions where credentials, Telegram chats, malware sales, and contact information were harvested. The attacks were traced to locations in Turkey, Spain and Nigeria—the latter being the base of Fucosreal. However, it remains unclear which locations are directly linked to the threat actor, though some online identities have been tracked.
Information security experts emphasize the importance of keeping Windows systems up-to-date, particularly for those who hold or trade cryptocurrency on their PCs. This new malware is typically spread through attachments in emails and messages and unsafe links, so PC users should remain vigilant and avoid clicking on suspicious content.