A new malware strain known as Styx Stealer has recently emerged, posing a significant threat to online security. Discovered in April 2024, Styx Stealer primarily targets popular browsers based on the Chromium and Gecko engines, such as Chrome and Firefox. The malware is designed to pilfer a wide range of sensitive information from these browsers, including saved passwords, cookies, auto-fill data (which may include credit card details), cryptocurrency wallet information, system data like hardware specifics, external IP addresses, and even screenshots.
The implications of such a broad data theft capability are alarming, as the stolen information could be used for identity theft, financial fraud, or even more targeted cyberattacks.
Styx Stealer doesn’t stop at browsers. It also targets widely used instant messaging applications like Telegram and Discord. By compromising these platforms, the malware can gain access to users’ chats, potentially exposing sensitive conversations. This further exacerbates the threat, as the attackers could exploit this data to compromise the victim’s online identity or carry out social engineering attacks.
The origins of Styx Stealer trace back to a Turkish cybercriminal who operates under the alias “Sty1x.” The malware is sold through Telegram or a dedicated website, with prices ranging from $75 per month to $350 for unlimited access.
Interestingly, the malware’s discovery was aided by a critical mistake made by its developer. During the debugging process, the developer failed to implement proper operational security (OpSec) measures, inadvertently leaking sensitive data from their own computer to security researchers. This blunder not only exposed details about Styx Stealer’s capabilities and targets but also revealed the developer’s earnings and their connection to another notorious malware strain, Agent Tesla.
Further forensic analysis uncovered a link between Sty1x and a Nigerian threat actor known by aliases such as Fucosreal and Mack_Sant. This individual had previously been involved in a campaign using Agent Tesla malware to target Chinese firms in various sectors.
The connection between these two cybercriminals suggests potential collaboration, making Styx Stealer an even more formidable threat.
Styx Stealer appears to be a derivative of the Phemedrone Stealer malware, inheriting core functionalities while introducing enhancements like auto-start and crypto-clipping features. These improvements make Styx Stealer more dangerous, increasing its potential to cause significant financial harm to its victims.
The discovery of Styx Stealer highlights the ongoing evolution of cyber threats. Although the leak by the developer has likely disrupted Styx Stealer’s initial operations, it’s crucial to remain vigilant as cybercriminals adapt quickly.