Styx Stealer Developer’s Security Oversight Failure Exposes Client Roster and Revenue Information
During an instance of an operational security (OPSEC) oversight, the developer responsible for a recently discovered data thief named Styx Stealer mistakenly leaked information from their own device, an incident that exposed specifics concerning clients, earnings, aliases, phone contacts, and email addresses.
Styx Stealer, a spin-off of the Phemedrone Stealer, is equipped to hijack web browsing data, chat records from Telegram and Discord, as well as digital currency wallet data, as per an evaluation by cybersecurity firm Check Point. This malicious tool surfaced in April 2024.
“Styx Stealer is most likely built upon the foundation of an earlier version of Phemedrone Stealer, which lacks various functionalities present in newer editions such as the capability to dispatch reports to Telegram, report encryption, and others,” the organization pointed out.
“Nevertheless, the Styx Stealer architect included fresh features: automatic startup, clipboard observer and crypto-clipping functionality, additional evasion of sandbox detection, and tactics for thwarting analysis, and restored the sending of data to Telegram.”
Available for purchase at $75 monthly (or $230 for three months or $350 for a lifetime membership) on a dedicated webpage (“styxcrypter[.]com”), licenses for this malware necessitate potential purchasers to contact a Telegram profile (@styxencode). This operation is linked to a threat actor based in Turkey who goes by the pseudonym STY1X on online black market forums.
Check Point revealed it was able to establish links between STY1X and a spam initiative in March 2024 propagating Agent Tesla malware, which targeted several sectors in China, India, the Philippines, and the U.A.E. This Agent Tesla operation has been associated with a threat actor nicknamed Fucosreal, who is believed to be located approximately in Nigeria.
This connection was detected because STY1X debugged the data thief on their own system using a Telegram bot token provided by Fucosreal. This error allowed the cybersecurity firm to uncover about 54 clients and 8 cryptocurrency wallets, potentially owned by STY1X, that were employed to receive the proceeds.
“This campaign stood out due to the exploitation of the Telegram Bot API for data extrication, leveraging Telegram’s infrastructure instead of conventional command-and-control (C&C) servers, which are more prone to detection and blocking,” Check Point highlighted.
“Nevertheless, this approach has a critical downside: each malware specimen needs to include a bot token for authentication. Deciphering the malware to retrieve this token grants access to all data transmitted via the bot, thereby revealing the recipient account.”
This revelation coincides with the emergence of fresh data theft malware variants like Ailurophile, Banshee Stealer, and QWERTY, while established offenders like RedLine are being utilized in phishing endeavors targeting Vietnamese organizations active in oil and gas, manufacturing, electric, HVAC, paint, chemical, and hospitality sectors.
“RedLine is a prominent data stealer focusing on login credentials, credit card specifics, web browsing background, and even digital currency wallets,” the Symantec division under Broadcom highlighted. “It is actively utilized by multiple factions and individuals globally.”
“Following installation, it collects information from the victim’s system and transfers it to a remote server or Telegram channel under the control of the attackers.”
About Author
