Styx Stealer malware exploits Windows vulnerability to ‘clip’ crypto

Check Point Research has uncovered Styx Stealer, a new malware targeting cryptocurrency via a clipping technique on computers using Windows.
Check Point Research has uncovered Styx Stealer, a new malware targeting cryptocurrency via a clipping technique on computers using Windows.

New malware called Styx Stealer has been uncovered by cybersecurity solutions provider Check Point Research. The newly discovered malware can steal a vast array of material, including cryptocurrency, through a mechanism known as clipping. It is freely available on a rental basis on the developer’s website.

Windows users with an up-to-date operating system are safe from the malware, since Styx Stealer depends on a vulnerability in Microsoft Windows Defender that was patched last year.

Malware upgraded to steal crypto

Styx Stealer was discovered because the developer experienced a data leak during debugging. It is derived from an older malware called Phemedrone Stealer. It maintains the functions of Phemedrone Stealer, such as stealing saved passwords, cookies, auto-fill data, cryptocurrency wallet data and instant messenger sessions, while incorporating new detection evasion techniques and adding a crypto clipper function.

Cryptocurrency clipping occurs when malware substitutes a crypto recipient’s wallet address with the bad actor’s wallet during a transaction.

Styx Stealer crypto clipper user interface. Source: Check Point Research

Related: Fake Zoom malware steals crypto while it’s ‘stuck’ loading, user warns

Styx Stealer was launched in April and can be licensed for $75 per month or $350 for a lifetime license. The pricing and features were displayed on the website styxcrypter.com until midday on Aug. 16, when they were replaced with information about another product. Purchases could be made via Telegram using Bitcoin (BTC), Litecoin (LTC), Tron (TRX), Tether (USDT), or Monero (XMR). Explanatory videos were also available on YouTube at one time.

Styx Stealer prices and features. Source: Check Point Research

Hacking is paying well in 2024

Point Research identified eight wallets presumably belonging to the Turkey-based Styx Stealer developer that had received around $9,500 in crypto as payment for the malware in the first two months of its operation.

Source: Check Point Research

Check Point Research also obtained the developer’s Telegram accounts, email addresses, phone numbers and contacts.

According to a report released by Chainalysis on Aug. 15, legitimate cryptocurrency activity is growing faster than illicit activity, although the value of the crypto hacked has increased. That is at least in part due to the price recovery of Bitcoin. The number of hacking incidents in 2024 has increased only marginally year-on-year.

Magazine: Pink Drainer creator defends his wallet draining crypto scam kit