Crypto-Stealing Malware 'Styx Stealer' Exposed by Hacker's Critical Mistake

Check Point Research (CPR) has uncovered Styx Stealer, a new malware capable of stealing browser data, cryptocurrency, and instant messenger sessions. Styx Stealer is a variant of Phemedrone Stealer and includes new features like auto-start and crypto-clipping. The malware was traced back to a developer linked to the Agent Tesla threat actor “Fucosreal.” During debugging, the developer made a critical mistake, leaking sensitive data, which allowed CPR to gather intelligence on clients, profits, and personal details. This slip exposed connections between Styx Stealer and the broader cybercrime network, including interactions with other cybercriminals like Fucosreal. CPR’s investigation revealed that Styx Stealer is based on an older version of Phemedrone Stealer, lacking some advanced features. The creator’s failure in operational security (OpSec) compromised the campaign, and CPR was able to identify the individuals involved, including their locations and personal details. Despite attempts to distribute the malware, the campaign largely failed.