Styx Stealer’s Creator Unmasked Due to Operational Security Error

August 21, 2024

Check Point Research (CPR) has identified the author of a new information-stealing malware, Styx Stealer, thanks to a major operational security mistake by the threat actor. This error allowed the researchers to trace the malware back to an individual based in Turkey who also has ties with the operator of an Agent Tesla campaign, a well-known and widely used information stealer.

The operational security error provided the researchers with a wealth of personal information about the malware developer, including his Telegram accounts, contacts, emails, and details about his cryptocurrency transfers over two months, which amounted to around $9,500. This was the income from the sales of Styx Stealer and a separate encryption tool. Alexey Bukhteyev, a CPR researcher, stated in a recent blog post, "During the debugging of Styx Stealer, the developer made a fatal error and leaked data from his computer."

This mishap allowed CPR to gather significant intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses. They also obtained similar data about the actor behind the Agent Tesla campaign. Although it's not common, threat actors occasionally reveal themselves due to operational security lapses. When this happens, security researchers seize the opportunity to gather as much information as possible about the threat actor's tactics, techniques, and procedures.

CPR researchers first became aware of the Styx Stealer's author while analyzing a malicious file containing Agent Tesla, recovered from a spam campaign in March. The malware was using Telegram's Bot API for data exfiltration, and the researchers managed to extract the Telegram bot token from it. This allowed them to monitor the threat actor's Telegram bot, leading to the discovery of a malicious archive file with a document titled "Styx Stealer."

The researchers pieced together information that led them to identify the author of Styx Stealer as an individual based in Turkey, using the handle Sty1x, along with several different email addresses and phone numbers. They also found that Sty1x collaborated with an individual based in Lagos, Nigeria, using the handle @Mack_Sant. The researchers were able to recover data from both individuals' computers, which confirmed that @Mack_Sant was the operator of the Agent Tesla campaign that CPR had investigated in March.

The Styx Stealer is an information-stealing malware based on an early version code associated with "Phemedrone Stealer," a malware tool that was used in attacks targeting CVE-2023-36025, a Windows Defender SmartScreen vulnerability. The malware steals data from Chromium-based browser extensions, cryptocurrency wallets, and files within "My Documents" and "Desktop" folders. It can also gather location and system data and steal Discord, Telegram, and Steam sessions.

The malware includes various obfuscation and detection evasion features and is designed not to execute in certain countries, including Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Azerbaijan. Bukhteyev stated, "The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.