Research | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
August 2024 by Check Point®
A Stealer’s Victimization: The new Styx Stealer malware, derived from the infamous Phemedrone Stealer, poses significant threats by stealing browser data, instant messenger sessions, and cryptocurrency from victims. Potential targets span multiple industries worldwide. CPR identified 54 customers, and eight cryptocurrency wallets associated with Sty1x.
– Ingenious Tracking: Check Point Research (CPR) meticulously monitored and unmasked the hackers behind the Styx Stealer and one of the Agent Tesla malware campaign hackers by intercepting critical data leaks from the hacker’s debugging process. This revealed the connection between the hackers, their identities, and their locations.
– Operational Security Lapse: A fatal error by the Styx Stealer developer during debugging leaked sensitive information, enabling CPR to gather intelligence, including client details, nicknames, phone numbers, and email addresses linked to a Styx Stealer selling campaign.
Unmasking Styx Stealer and Agent Tesla: Connecting the Dots
In March 2024, CPR identified a spam campaign by the threat actor Fucosreal, utilizing Agent Tesla malware to target global victims. CPR’s investigation revealed that the attacker primarily targeted Chinese companies, with additional victims in India, the UAE, and the Philippines across various industries, including diamond, metallurgical, glass manufacturing, environmentally friendly packaging, ocean freight shipping, wallpaper manufacturing, and aluminum sectors.
CPR extracted the Telegram bot token used for data exfiltration by decrypting the malware’s configuration. This allowed our researchers to monitor the bot and gather crucial information about the victims and the hacker’s operations.
On April 11, 2024, a pivotal moment occurred when Sty1x, the developer behind Styx Stealer, and Fucosreal discussed incorporating a Telegram data-sending function into Styx Stealer. Subsequently, CPR intercepted an archive containing data from Styx Stealer’s debugging process, revealing Sty1x’s location in Turkey, phone numbers, and communication with Fucosreal.
Further monitoring led to another data interception from Fucosreal’s computer on April 16, 2024, unveiling his location in Nigeria and other identifying information. This intelligence enabled CPR to trace the hackers’ activities and connect them to previous malicious campaigns, effectively unmasking them.
Comment by Alexander Chailytko, Cyber Security, Research & Innovation Manager, Check Point Research:
“The case of Styx Stealer is a prime example of a potentially disruptive operation that affects high-profile industries such as manufacturing, metallurgy, and freight shipping. Such disruptions may incur significant financial losses for the affected companies and critical data leaks that inflict additional reputational damages. Therefore, utilizing the latest comprehensive cybersecurity solutions to protect businesses from such threats is crucial.”