An alarming report from Check Point Research, published and detailed for the first time here on Forbes, warns that a harsh new attack by a well-known risk actor is now underway. Aimed at Windows users, this new “malicious” malware will borrow everything it can find, adding browser cookies, security credentials and instant messages. The underlying malware has been observed before, but this new version has come forward to further drain crypto wallets.
The malware is an adaptation of the Phemedrone Stealer that made headlines earlier this year. When exploiting a vulnerability in Microsoft Windows Defender, the software executes scripts on PCs that generate security warnings.
Microsoft patched CVE-2023-36025 last year and users can protect themselves by ensuring their operating formula is up to date. But as millions of Windows 10 users count the weeks until its end in October 2025, many of them don’t. If you have a device that can upgrade to Windows 11 or the cash to buy a new PC, these long-term vulnerabilities are about to become a much more serious problem.
Check Point claims that this new malware variant, dubbed Styx Stealer, “is connected to one of Agent Tesla’s risk actors, Fucosreal. “Agent Tesla is a Windows RAT that is usually delivered as Malware-As-A-Service (MaaS). The PC has been infected, more harmful software can be installed, leading to ransomware attacks.
Styx Stealer can be hired at $75 per month, a lifetime license costs only $350. Check Point told me that “the site promoting Styx Stealer is still active and anyone can buy it. . . “It is also noted that the author of Styx Stealer is active on Telegram, replying to messages. The author is also running a momentary product, Styx Crypter, which allows him to bypass antivirus protection. As a result, Styx Stealer continues to pose a potential risk to many users worldwide.
Although Styx Stealer exploits a Windows vulnerability to infect a PC, it also exploits other security weaknesses, adding stealing query cookies that allow a malicious actor to mirror a secure connection to their own machine. The main target of these thefts is Google Chrome, given the scale of its installation base. Google now eliminates the vulnerability by associating query cookies with an express device ID. Even more powerful, Google also prevents a bad actor from exploiting a cookie connected to a device with a malicious login enabled via malware (or even some other physical user) on the same machine, through encryption and knowledge linking of the cookie to express applications, rather than to express applications. when the main user logged in to some other application.
But it’s not just Chrome that’s threatened: Check Point claims that Styx Stealer targets all Chromium-based browsers, adding Edge, Opera and Yandex, as well as Gecko-based alternatives, adding Firefox, Tor Browser and SeaMonKey .
Cryptocurrency-Stealing Malware for Sale
This new malware comprises some new and stealthy elements when it comes to cryptocurrency theft. Check Point told me that “crypto slashing for crypto theft is a new feature absent in Phemadrone Stealer, [which] works autonomously without a C server.
The new features added to the malware make it much more capable of stealthily stealing cryptocurrency in the background. “In an endless loop over a configurable set period (two milliseconds by default),” Check Point explains, “Styx Stealer checks the contents of the clipboard. If it has changed, it triggers a cryptoclipper feature. . . blowing up cryptocurrency transactions by replacing the original wallet address with the attacker’s wallet address. . . The crypto-clipper includes nine common expression patterns for addresses in various blockchains. blocks: BTC, ETH, XMR, XLM, XRP, LTC, NEC, BCH, DASH.
When stealing cryptocurrency, malware applies more defenses to protect its ongoing operation. “If crypto-clipper is enabled in the configuration, Styx Stealer applies more investigation and anti-debugging techniques. All checks are performed only once after the stealer is started. Thief includes a complete list of procedure names related to debuggers and investigative software Finds and ends those procedures.
As clever as he is, the hackers made a mistake, allowing Check Point to identify a link to the known venture actor, Agent Tesla. “While debugging Styx Stealer,” the team explains, “the developer made a fatal mistake and leaked knowledge from his computer, which allowed CPR to download a giant amount of data, aggregating the number of customers, earnings data, nicknames, phone numbers, and email addresses, as well as similar insights about the Agent Tesla campaign actor.
Check Point’s investigation also identified target industries and geographies, where the attacker harvested credentials as well as Telegram chats, malware sales and contact information in Turkey, Spain and Nigeria—the latter being the home of Fucosreal. It remains unclear which locations link back to the threat actor itself, albeit online identities were tracked down. All the various threads pulled and breadcrumbs followed by Check Point are laid out in detail in its report, including an analysis of the choreography of a Styx Stealer malware sale and subsequent support.
“In the murky world of cybercrime,” says Check Point, “even the most cunning hackers can make mistakes that expose their operations. . . The attacks we detected were intercepted from the beginning through Check Point’s risk emulation, preventing Styx Stealer was loaded onto customer computers. Unfortunately, we do not have complete visibility into how many users are being attacked around the world.
Check Point’s message is clear. Make sure to keep Windows up to date, especially if you have a crypto wallet or any form of cryptocurrency on your PC. This new malware is distributed through malicious links and attachments in emails and messages. Therefore, the same old regulations apply to forget about all those temptations.
A community. Many voices. Create a free account to share your thoughts.
Our network aims to connect other people through open and thoughtful conversations. We need our readers to share their perspectives and exchange ideas and facts in one space.
To do this, please comply with the posting regulations in our site’s terms of use. We summarize some of those key regulations below. In short, civilized.
Your message will be rejected if we notice that it appears to contain:
User accounts will be blocked if we become aware that users are engaged in:
So how can you be a user?
Thank you for reading our Community Guidelines. Please read the full list of posting regulations discovered in our site’s Terms of Use.