In the ever-evolving world of cybercrime, even the most skilled hackers are not immune to errors that can unravel their secret operations. This reality was recently highlighted when Check Point Research (CPR), a leading cybersecurity firm, uncovered crucial details about a new malware called Styx Stealer. This malware, which can steal browser data, cryptocurrency, and instant messenger sessions from platforms like Telegram and Discord, was traced back to a mistake made by its developer. This error provided CPR with a wealth of intelligence that helped expose not only the developer but also a global cybercrime network.
Styx Stealer is a new variant of an older malware called Phemedrone Stealer, which is notorious for exploiting a specific vulnerability in Microsoft Windows Defender SmartScreen. Like its predecessor, Styx Stealer is designed to steal sensitive information such as saved passwords, cookies, and cryptocurrency wallet data from browsers. However, it comes with additional capabilities that make it even more dangerous. For instance, Styx Stealer has a persistence mechanism that ensures it remains active on a victim’s computer even after a reboot. It also features a “crypto-clipper” function, which allows it to hijack cryptocurrency transactions by replacing the original wallet address with the attacker’s wallet address.
Unlike Phemedrone Stealer, which is open-source and freely available, Styx Stealer is sold via subscription. Prices range from $75 for a monthly subscription to $350 for a lifetime license. Transactions are managed through the Telegram account @Styxencode, making it easy for cybercriminals to access and use this dangerous tool.
CPR’s investigation into Styx Stealer began when the team noticed an unusual document labeled “Styx Stealer” during their monitoring of a Telegram bot. This bot was linked to a hacker known as Fucosreal, who had previously been involved in a spam campaign distributing another malware called Agent Tesla. Agent Tesla is a remote access Trojan (RAT) that specializes in stealing sensitive information from infected computers.
Earlier in March 2024, CPR identified a spam campaign that used Agent Tesla malware to target companies around the world. The campaign primarily targeted businesses in China, India, the United Arab Emirates, and the Philippines. The affected companies spanned various industries, including diamond trading, metallurgy, glass manufacturing, and ocean freight shipping.
During their monitoring, CPR discovered that the Styx Stealer document included a screenshot from the developer’s computer, revealing sensitive information such as Telegram bot tokens and chat IDs. This leak allowed CPR to trace the source of the malware back to the developer, known online as Sty1x. Further investigation revealed that Sty1x had been communicating with Fucosreal and other cybercriminals, exposing a network of illegal activities.
The big break in CPR’s investigation came when the Styx Stealer developer made a critical mistake during the debugging process. While testing the malware on his own computer, the developer accidentally leaked data that provided CPR with valuable insights into his operations. The leaked information included details about the number of clients, profit information, nicknames, phone numbers, and email addresses. CPR was even able to determine the developer’s approximate location in Turkey, as well as his movements over a certain period.
Through this leaked data, CPR identified two Telegram accounts used by the developer (@styxencode and @cobrasupports), as well as several cryptocurrency wallets that had received payments from Styx Stealer sales. In just two months, the developer had earned about $9,500 from his illicit activities.
CPR’s research revealed that the developer of Styx Stealer and the hacker behind the Agent Tesla campaign, Fucosreal, were working together. Their collaboration began when Fucosreal provided the developer with a Telegram bot token to integrate into Styx Stealer, allowing stolen data to be exfiltrated through Telegram.
On April 11, 2024, the Styx Stealer developer created a new bot for testing purposes, and by April 14, the two hackers were actively exchanging information and preparing for another round of attacks. However, CPR’s monitoring efforts paid off when they intercepted an archive containing data from the developer’s computer. This archive revealed additional details about the developer’s location, communication with customers, and the identity of other cybercriminals involved in the operation.
CPR intensified its monitoring efforts and soon intercepted another archive, this time containing data from Fucosreal’s computer. This information helped CPR to further unmask the hacker, revealing his approximate location in Nigeria, along with his email addresses and other details that made it easier to identify him.
Despite their extensive preparations, the hackers’ plans ultimately fell apart. On April 17, 2024, Fucosreal launched a spam campaign using the Styx Stealer malware. However, the campaign was a complete failure, as CPR’s proactive measures ensured that not a single real victim was affected.
