An alarming report from Check Point Research, published and detailed for the first time here at Forbes, warns that a new and harsh attack from a known risk actor is already underway. Targeting Windows users, this new “malicious” malware will borrow as much as it can. search, add browser cookies, security credentials, and instant messages. The underlying malware has been detected before, but this latest version has moved ahead of emptier crypto wallets.
The malware is an adaptation of the Phemedrone Stealer that made headlines earlier this year. When exploiting a vulnerability in Microsoft Windows Defender, the software executes scripts on PCs that generate security warnings.
Microsoft patched CVE-2023-36025 last year, and users can protect themselves by making sure their operating formula is up to date. But while millions of Windows 10 users are counting down the weeks until its end in October 2025, many of them don’t have a device capable of upgrading. Whether you’re upgrading to Windows 11 or the cash to buy a new PC, these extended exploits are about to happen. become a much bigger problem.
Check Point claims that this new malware variant, dubbed Styx Stealer, “is connected to one of Agent Tesla’s risk actors, Fucosreal. “Agent Tesla is a Windows RAT that is usually delivered as Malware-As-A-Service (MaaS). The PC has been infected, more harmful software can be installed, leading to ransomware attacks.
Styx Stealer is available to hire for $75 per month, a lifetime license costs just $350. Check Point told me that “the site promoting Styx Stealer is still active and anyone can purchase it… We also practice that the author of Styx Stealer Be active on Telegram, responding to messages. The author is also running a product at the moment, Styx Crypter, which allows him to bypass antivirus protection. As a result, Styx Stealer continues to pose a potential risk to many users around the world.
Although Styx Stealer exploits a Windows vulnerability to infect a PC, it also exploits other security weaknesses, adding theft query cookies that allow a malicious actor to mirror a secure connection on their own machine. The main target of these thefts is Google Chrome, given the scale of its installation base. Google now removes the vulnerability by associating query cookies with an express device ID. Even more powerful, Google also prevents a bad actor from exploiting a cookie connected to a device with a malicious login enabled via malware (or even some other physical user) on the same machine, by encrypting and linking the cookie’s knowledge to express applications, rather than expressing applications. when the primary user is signed in to some other app.
But it’s not just Chrome that’s threatened: Check Point says Styx Stealer targets all Chromium-based browsers, adding Edge, Opera and Yandex, as well as Gecko-based opportunities adding Firefox, Tor Browser and SeaMonKey.
Malware that steals cryptocurrency for sale
This newer malware comprises some new and sneaky elements when it comes to cryptocurrency theft. Check Point told me that “stealing cryptocurrency through cryptocurrency slashing is a new feature that is missing from Phemadrone Stealer, [which] operates autonomously without a C server
The new features added to the malware make it much more adept at stealing cryptocurrencies silently in the background. “In an endless loop over a set configurable period (two milliseconds as the default),” Check Point explains, “Styx Stealer checks the contents of the clipboard. If it has changed, activate a crypto-clipper feature. . . . steals cryptocurrency transactions by replacing the original wallet with the attacker’s wallet. . . The crypto-clipper includes nine normal expression patterns for trades on various blockchains: BTC, ETH, XMR, XLM, XRP, LTC, NEC, BCH, DASH.
When stealing cryptocurrency, malware applies more defenses to protect its ongoing operation. “If crypto-clipper is enabled in the configuration, Styx Stealer applies more investigation and anti-debugging techniques. All checks are performed only once after the stealer is started. Thief includes a complete list of procedure names related to debuggers and investigative software Finds and ends those procedures.
As clever as it was, the hackers made a mistake, allowing Check Point to identify a link to the known bad actor, Agent Tesla. “While debugging Styx Stealer,” the team explains, “the developer made a fatal mistake and leaked knowledge from his computer, allowing CPR to download a giant amount of information, adding the number of customers, benefit information, nicknames and numbers. of telephone. numbers and email addresses, as well as similar knowledge about the actor in the Agent Tesla campaign.
Check Point’s investigation also learned about targeted industries and geographies, where the attacker recovered credentials, as well as Telegram chats, malware sales and touch data in Turkey, Spain and Nigeria, the last of which is the headquarters of Fucosreal. It is still unclear which locations are connected to the risk actor himself, even though online identities have been traced. All other threads and browsing paths tracked through Check Point are presented in detail in their report, adding an investigation into the choreography of a Styx Stealer malware sale. and the next support.
“In the murky world of cybercrime,” says Check Point, “even the most cunning hackers can make mistakes that expose their operations. . . The attacks we detected were intercepted from the beginning through Check Point’s risk emulation, preventing Styx Stealer was loaded onto customer computers. Unfortunately, we do not have complete visibility into how many users are being attacked around the world.
Check Point’s message is clear. Make sure you keep Windows up to date, especially if you have a crypto wallet or any form of cryptocurrency on your PC. This new malware is distributed through malicious links and attachments in emails and messages. Therefore, the same old regulations apply to forget about all those temptations.
A community. Many voices. Create a free account to share your thoughts.
Our network aims to connect others through open and thoughtful conversations. We need our readers to share their perspectives and exchange ideas and facts in one space.
To do this, please comply with the posting regulations in our site’s terms of use. We summarize some of those key regulations below. In short, civilized.
Your message will be rejected if we realize that it seems to contain:
User accounts will be blocked if we become aware or if users are concerned about:
So, how can you be a user?
Thank you for reading our Community Standards. Read the full list of publication regulations discovered in our site’s terms of use.