In a striking case of operational security (OPSEC) failure, the operator of the new data-stealing malware, Styx Stealer, mistakenly leaked sensitive information from their own computer. The leaked data included client details, profit information, nicknames, phone numbers, and email addresses.
Styx Stealer, a variant of the Phemedrone Stealer, is designed to extract browser data, instant messenger sessions from platforms like Telegram and Discord, and cryptocurrency wallet information, as per an analysis by cybersecurity company Check Point. The malware first surfaced in April 2024.
“Styx Stealer appears to be a modified version of an older edition of Phemedrone Stealer, lacking features present in newer versions, such as report encryption and more,” Check Point explained.
Offered for $75 monthly, Styx Stealer can also be availed for $230 for three months or $350 for a lifetime subscription on its dedicated website, “styxcrypter.com.” Interested buyers need to contact a Telegram account (@styxencode) associated with a Turkish threat actor known as STY1X in cybercrime circles.
Check Point’s investigation uncovered ties between STY1X and a spam campaign originating in March 2024. The campaign distributed Agent Tesla malware targeting sectors in China, India, the Philippines, and the U.A.E. The activity was linked to a threat actor named Fucosreal, possibly based in Nigeria.
STY1X’s error in debugging the stealer on their system using a Telegram bot token provided by Fucosreal enabled Check Point to identify 54 customers and 8 cryptocurrency wallets, likely owned by STY1X, used to receive payments.
“Unlike traditional command-and-control servers, the campaign utilized Telegram’s infrastructure for data exfiltration, which is less detectable but not without a flaw. Decrypting the malware revealed all data sent via the bot, essentially exposing the recipient account,” Check Point highlighted.
Amid the rise of new data-stealing malware variants like Ailurophile, Banshee Stealer, and QWERTY, well-known stealers like RedLine are being employed in phishing operations targeting various industries.
“RedLine remains popular for swiping login credentials, credit card details, browser history, and cryptocurrency wallets, and is actively utilized by several threat groups globally,” mentioned Symantec, now owned by Broadcom. “Once installed, it collects data and sends it to a remote server or Telegram channel controlled by the attackers.”
If you found this article intriguing, follow us on Twitter and LinkedIn for more exclusive content.