An alarming report from Check Point Research, published today and detailed first here on Forbes, warns that a powerful new attack from a known threat actor is now underway. Targeting Windows users, this “malicious” new malware will steal anything it can find—including browser cookies, security credentials, and instant messages. The underlying malware has been seen before, but this latest iteration has been enhanced to be much better at emptying crypto wallets.
Overview of the Threat
The malware is an adaptation of the Phemedrone Stealer which made headlines earlier this year. Exploiting a vulnerability in Microsoft Windows Defender, the software executes scripts on PCs without prompting any security warnings.
Microsoft patched CVE-2023-36025 last year, and users can protect themselves by ensuring their operating system is up-to-date. However, with hundreds of millions of Windows 10 users facing the impending end of support in October 2025, many without the capability to upgrade to Windows 11 or the financial means to purchase a new device, the potential for exploitation is significantly heightened.
Check Point identifies this new malware variant, dubbed Styx Stealer, as being linked to one of the Agent Tesla threat actors, known as Fucosreal. Agent Tesla is a Windows Remote Access Trojan (RAT) typically offered as Malware-As-A-Service (MaaS). Once a PC is compromised, it opens the door for more dangerous software installations, often leading to ransomware attacks.
Accessibility and Functionality
Styx Stealer is available for rent at $50 per month, with a lifetime license priced at $500. Check Point has noted that “the website selling Styx Stealer is still active, and anyone can purchase it.” The creator of Styx Stealer remains active on Telegram, responding to inquiries and reportedly working on a second product, Styx Crypter, designed to bypass antivirus protections. Consequently, Styx Stealer continues to pose a significant threat to users globally.
While Styx Stealer exploits a Windows vulnerability to infect systems, it also capitalizes on other security weaknesses, including the theft of session cookies, which enable a threat actor to replicate secure logins on their own machines. Google Chrome is the primary target for such thefts, given its extensive user base. In response, Google is implementing measures to link session cookies to specific device IDs, effectively shutting down the vulnerability. Furthermore, Google is encrypting and binding cookie data to specific applications, mitigating the risk of unauthorized access through malware-enabled rogue logins.
However, the threat is not limited to Chrome. Check Point indicates that Styx Stealer targets all Chromium-based browsers, including Edge, Opera, and Yandex, as well as Gecko-based alternatives like Firefox, Tor Browser, and SeaMonkey.
Innovative Crypto Theft Techniques
New elements introduced in this malware enhance its capabilities for crypto theft. Check Point explains that “crypto-stealing through crypto-clipping is a new functionality absent in Phemedrone Stealer, which operates autonomously without a command and control server while the malware is installed on the victim’s machine.” This allows Styx Stealer to quietly siphon cryptocurrency in the background.
Styx Stealer continuously monitors the clipboard at configurable intervals (defaulting to two milliseconds). If it detects a change, it triggers a crypto-clipper function that steals cryptocurrency during transactions by substituting the original wallet address with that of the attacker. The crypto-clipper is equipped with nine regex patterns for addresses across various blockchains, including BTC, ETH, and XMR.
In its quest for stealth, the malware employs additional defenses to safeguard its operations. If the crypto-clipper is activated, Styx Stealer implements anti-debugging and analysis techniques, complicating efforts to detect and neutralize it.
