A newly discovered malware known as Styx Stealer is making waves in the cybersecurity world, targeting cryptocurrency transactions on Windows-based computers. Identified by cybersecurity firm Check Point Research, Styx Stealer is an evolved version of the earlier Phemodrone Stealer, which first gained attention in early 2024. Unlike its predecessor, which primarily focused on web browsers, Styx Stealer incorporates a crypto-clipping mechanism, making it even more dangerous.
Phemodrone Stealer was designed to hijack cryptocurrency from wallets and extract sensitive data like private keys and browser information. It exploited a vulnerability in Windows Defender’s SmartScreen feature, allowing it to bypass the system’s antivirus protections. While the original vulnerability has since been patched, Styx Stealer continues to pose a threat by exploiting the same loophole, with new capabilities that make it more potent.
Styx Stealer’s crypto-clipping feature is particularly alarming. The malware monitors the clipboard for cryptocurrency wallet addresses and then replaces them with addresses controlled by the attacker, effectively diverting funds during transactions. This method, previously used by the Phorpiex botnet, allows cybercriminals to intercept and steal cryptocurrency during the transfer process.
Check Point Research revealed that Styx Stealer can recognize wallet addresses across nine major blockchains, including Bitcoin, Ethereum, Monero, Ripple, Litecoin, Bitcoin Cash, Stellar, Dash, and Neo. The malware targets Chromium- and Gecko-based browsers, as well as data from browser extensions, Telegram, and Discord, making it a versatile threat.
Styx Stealer is designed with a user-friendly graphical interface and an autorun feature, making it accessible for cybercriminals to customize and deploy. It also includes basic anti-analysis techniques, such as terminating processes associated with debugging tools and detecting virtual machine environments. If a virtual machine is detected, the malware self-destructs to avoid detection.
The distribution and sales of Styx Stealer are conducted manually via the Telegram account @styxencode and the styxcrypter[.]com website. The malware has been advertised through various channels, including YouTube videos, and is available for purchase with pricing options ranging from $75 for a monthly license to $350 for lifetime access. Unlike its predecessor, which was free, Styx Stealer has already generated approximately $9,500 in cryptocurrency payments from at least 54 buyers.
While the full extent of the damage caused by Styx Stealer is not yet known, the malware’s emergence highlights the growing threat of crypto-stealing malware. Similar threats have been identified on other platforms, such as Apple’s macOS, where malware was found replacing legitimate cryptocurrency wallets with altered versions.
As the cryptocurrency sector continues to expand, the profitability of hacks and thefts remains high. Despite this, some notorious threat actors have recently ceased operations. Angel Drainer, a drainer-as-a-service malware responsible for over $25 million in thefts, shut down last month, while the multi-chain crypto scam service Inferno Drainer halted its services in November.
The rise of sophisticated malware like Styx Stealer underscores the ongoing challenges in securing digital assets, particularly as cybercriminals continue to evolve their tactics.
Powered by Crypto Expert BD
Follow us on Twitter: https://x.com/CryptoExpert_BD
Join our Telegram channel: https://t.me/CryptoExpert_BD
