Crypto-clipping malware ‘Styx Stealer’ targets Windows computers

A new malware, Styx Stealer, is stealthily stealing cryptocurrency from Windows-based computers.

Cybersecurity firm Check Point Research first identified Styx in April as a more powerful version of Phemodrone Stealer. The malware exploited a now-patched Windows vulnerability to hijack cryptocurrency transactions and steal sensitive data from compromised systems, such as private keys, browser cookies, and even autofill browser data.

Phemodrone first made waves in early 2024. Unlike Styx Stealer, it focused on web browsers to drain cryptocurrencies from wallets, among other information.

Both malware exploit the same vulnerability in Windows Defender, the operating system’s built-in antivirus software, and exploit an old vulnerability in the antivirus’ SmartScreen feature, which is designed to warn users about potentially harmful websites and downloads.

However, Styx introduces new threats with the addition of a crypto-sniffing mechanism. Essentially, the malware monitors changes in the clipboard and then replaces the copied crypto wallet addresses with those belonging to the attacker.

It was previously known that the Phorpiex botnet used this technique to hijack cryptocurrency transactions.

According to Check Point Research’s findings, Styx can identify wallet addresses on nine blockchains: Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Ripple (XRP), Litecoin (LTC), Bitcoin Cash (BCH), Stellar (XLM), Dash (DASH), and Neo (NEO).

Chromium and Gecko-based browsers, data from browser extensions, Telegram and Discord are particularly vulnerable.

The malware’s creator features an autorun feature and a user-friendly graphical interface, making it easy for cybercriminals to customize and distribute the software.

Styx Stealer user interface | source: Check Point Research

Styx is also equipped with basic anti-analysis techniques to mask its processes. It terminates processes associated with debugging tools to avoid detection and detects virtual machine environments. If such an environment is detected, Styx Stealer initiates a self-deletion.

Reachable via Telegram

The distribution and sale of the malware is managed manually via the @styxencode Telegram account and styxcrypter.[.]com website. CPR also discovered ads and YouTube videos promoting the malware.

At least 54 people sent payments totaling around $9,500 to the Styx developer using various cryptocurrencies, including Bitcoin and Litecoin. Unlike its free successor, this malware is available for a $75 monthly license, a $230 three-month license, and a $350 lifetime license.

The amount of crypto stolen using Styx or the scale of the systems infected remains unclear.

Crypto-stealing malware was also found on Apple’s MacOS, as reported by antivirus developer Kaspersky earlier this year. The malware targeted Bitcoin and Exodus wallets by replacing the actual software with a modified version.

As the crypto industry has expanded, attacks and thefts have become quite profitable, with millions of dollars worth of funds lost each year. Yet, some notorious threat actors have decided to call it quits.

Last month, Angel Drainer, a drain-as-a-service malware responsible for theft of over $25 million, ceased operations. In November, multi-chain crypto fraud service Inferno Drainer shut down its services.