data extraction

Check Point Research (CPR) has identified a new malware variant called Styx Stealer, which extracts sensitive information from users, including browser data, instant messaging sessions from Telegram and Discord, and cryptocurrency assets. Styx Stealer is linked to the developer Sty1x, associated with the threat actor Fucosreal and the Agent Tesla malware. An operational security failure by the developer led to the accidental leak of sensitive data, allowing CPR to trace the malware back to its creator. Styx Stealer inherits functionalities from Phemedrone Stealer, capable of extracting saved passwords, cookies, auto-fill data, and information from browser extensions and cryptocurrency wallets. It can also capture session data from Telegram and Discord, gather system information, and take screenshots. The malware features auto-start capabilities, clipboard monitoring, and enhanced evasion techniques, and is marketed through a subscription model. In March 2024, a spam campaign distributing a malicious TAR archive containing Agent Tesla malware targeted various industries. CPR identified 54 customers who purchased Styx Stealer and Styx Crypter products, generating approximately ,500 in revenue over two months, with payments accepted in cryptocurrencies like Bitcoin and Monero. Styx Stealer employs evasion techniques to avoid detection, including checks for debugging tools and virtual machine environments.