An alarming report from Check Point Research, published today and detailed first here on Forbes, warns that a powerful new attack from a known threat actor is now underway. Targeting Windows users, this “malicious” new malware will steal anything it can find—including browser cookies, security credentials, and instant messages. The underlying malware has been seen before, but this latest iteration has been enhanced to be much better at emptying crypto wallets.
Overview of the Threat
The malware is an adaptation of the Phemedrone Stealer which made headlines earlier this year. Exploiting a vulnerability in Microsoft Windows Defender, the software executes scripts on PCs without prompting any security warnings.
Microsoft patched CVE-2023-36025 last year, and users can protect themselves by ensuring their operating system is up-to-date. However, with hundreds of millions of Windows 10 users facing the impending end of support in October 2025, many without the capability to upgrade to Windows 11 or the financial means to purchase a new device, the potential for exploitation is significantly heightened.
Check Point identifies this new malware variant, dubbed Styx Stealer, as being linked to one of the Agent Tesla threat actors, known as Fucosreal. Agent Tesla is a Windows Remote Access Trojan (RAT) typically offered as Malware-As-A-Service (MaaS). Once a PC is compromised, it opens the door for more dangerous software installations, often leading to ransomware attacks.
Accessibility and Functionality
Styx Stealer is available for rent at per month, with a lifetime license priced at 0. Check Point has noted that “the website selling Styx Stealer is still active, and anyone can purchase it.” The creator of Styx Stealer remains active on Telegram, responding to inquiries and reportedly working on a second product, Styx Crypter, designed to bypass antivirus protections. Consequently, Styx Stealer continues to pose a significant threat to users globally.
While Styx Stealer exploits a Windows vulnerability to infect systems, it also capitalizes on other security weaknesses, including the theft of session cookies, which enable a threat actor to replicate secure logins on their own machines. Google Chrome is the primary target for such thefts, given its extensive user base. In response, Google is implementing measures to link session cookies to specific device IDs, effectively shutting down the vulnerability. Furthermore, Google is encrypting and binding cookie data to specific applications, mitigating the risk of unauthorized access through malware-enabled rogue logins.
However, the threat is not limited to Chrome. Check Point indicates that Styx Stealer targets all Chromium-based browsers, including Edge, Opera, and Yandex, as well as Gecko-based alternatives like Firefox, Tor Browser, and SeaMonkey.
Innovative Crypto Theft Techniques
New elements introduced in this malware enhance its capabilities for crypto theft. Check Point explains that “crypto-stealing through crypto-clipping is a new functionality absent in Phemedrone Stealer, which operates autonomously without a command and control server while the malware is installed on the victim’s machine.” This allows Styx Stealer to quietly siphon cryptocurrency in the background.
Styx Stealer continuously monitors the clipboard at configurable intervals (defaulting to two milliseconds). If it detects a change, it triggers a crypto-clipper function that steals cryptocurrency during transactions by substituting the original wallet address with that of the attacker. The crypto-clipper is equipped with nine regex patterns for addresses across various blockchains, including BTC, ETH, and XMR.
In its quest for stealth, the malware employs additional defenses to safeguard its operations. If the crypto-clipper is activated, Styx Stealer implements anti-debugging and analysis techniques, conducting checks only once after launch. It maintains a comprehensive list of process names associated with debuggers and analysis software, actively searching for and terminating these processes.
Unraveling the Mystery
Despite its sophistication, the hackers made a critical error that allowed Check Point to link Styx Stealer to the known Agent Tesla threat actor. During debugging, the developer inadvertently leaked data from their computer, providing Check Point with valuable intelligence, including client numbers, profit information, and personal details of the actor behind the Agent Tesla campaign.
Check Point’s investigation also uncovered target industries and geographic locations where the attacker harvested credentials, including Telegram chats and malware sales in Turkey, Spain, and Nigeria—home to Fucosreal. While the exact connections to the threat actor remain unclear, online identities were tracked down, revealing a web of interconnected activities.
In the shadowy realm of cybercrime, even the most skilled hackers can make mistakes that expose their operations. Check Point’s Threat Emulation technology successfully intercepted attacks at an early stage, preventing Styx Stealer from being loaded onto customers’ computers. Nonetheless, the full extent of the global impact remains uncertain.
Check Point’s message is unequivocal: ensure your Windows operating system is up-to-date, particularly if you manage a crypto wallet or engage in cryptocurrency trading on your PC. This new malware is typically disseminated through malicious links and attachments in emails and messages, underscoring the importance of exercising caution and vigilance in digital communications.
