Careful monitoring of malicious campaigns can sometimes uncover surprising discoveries. Our latest research revealed that even skilled cybercriminals, despite their meticulous efforts to stay in the shadows, can commit critical security blunders. This presentation unveils the discovery and analysis of Styx Stealer, a new malware variant derived from the infamous Phemedrone Stealer. Our investigation not only dissects the technical capabilities of Styx Stealer but also exposes significant missteps by its developer, leading to the unmasking of associated cybercriminals and their operations.
Styx Stealer emerged in early 2024 as a powerful malicious tool capable of exfiltrating sensitive information, including saved browser credentials, data from browser extensions, cryptocurrency wallet data, and sessions from messaging platforms like Telegram and Discord. Technically, Styx Stealer retains the core functions of its predecessor while incorporating new features such as a clipboard monitor, crypto-clipper, advanced sandbox evasion, and anti-analysis techniques. Despite its relatively recent appearance, we observed its deployment in spam campaigns targeting various sectors throughout 2024.
This investigation helps us better understand the inner workings of cybercriminal operations, both from the perspective of malware developers and distributors. It also serves as a warning to cybercriminals: they can never be certain where and what traces they leave behind, what mistakes they make, and that even over time, their actions and identities can be uncovered.