New Malware Styx Stealer Targets Cryptocurrency on Windows PCs

Styx Stealer, a new malware, stealthily swipes cryptocurrency from Windows-based computers.

Cybersecurity firm Check Point Research first identified Styx as an enhanced version of Phemodrone Stealer in April. The malware exploited a now-patched Windows vulnerability, hijacking cryptocurrency transactions and stealing sensitive data from compromised systems, such as private keys, browser cookies, and autofill browser data.

Phemodrone first appeared in early 2024. Unlike Styx Stealer, it focused on web browsers to drain crypto from wallets and other information. Both malware types exploited the same loophole in Windows Defender, the operating system’s native antivirus, by taking advantage of an old vulnerability in the SmartScreen feature designed to warn users about potentially harmful websites and downloads.

However, Styx presents new threats with the addition of a crypto-clipping mechanism. Essentially, the malware monitors the clipboard for changes and then replaces copied cryptocurrency wallet addresses with those belonging to the attacker. Previously, the Phorpiex botnet was known to use this technique to hijack crypto transactions.

According to Check Point Research’s findings, Styx can identify wallet addresses across nine blockchains, including Bitcoin, Ethereum, Monero, Ripple, Litecoin, Bitcoin Cash, Stellar, Dash, and Neo.

Chromium- and Gecko-based browsers, data from browser extensions, Telegram, and Discord are especially vulnerable. The malware’s builder has an autorun feature and a user-friendly graphical interface, making it easier for cybercriminals to customize and deploy it.

Styx is also equipped with basic anti-analysis techniques to mask its operations. To evade detection, it terminates processes associated with debugging tools and detects virtual machine environments. If such an environment is detected, Styx Stealer initiates self-deletion.

The malware’s distribution and sales are managed manually through the Telegram account @styxencode and the styxcrypter[.]com website. Check Point Research has also discovered advertisements and videos that promote the malicious software.

At least 54 individuals had sent the Styx developer approximately $9,500 in payments using various cryptocurrencies like Bitcoin and Litecoin. Unlike its predecessor, which was free, this malware is available with a monthly license for $75, $230 for three months, and $350 for lifetime access. The amount of crypto funds stolen or the scale of the systems infected using Styx remains unclear.

Crypto-stealing malware has also been found on Apple’s MacOS, as reported earlier this year. The malware targeted Bitcoin and Exodus wallets by replacing the actual software with an altered version. Hacks and thefts have become frequent as the crypto sector expands, with millions of dollars worth of funds lost yearly. Nevertheless, some notorious threat actors have decided to call it quits.

Last month, Angel Drainer, a drainer-as-a-service malware responsible for over $25 million in thefts, shut down operations. In November, multi-chain crypto scam service Inferno Drainer halted services.

Stay updated with the latest in cryptocurrency and cybersecurity news on Global Crypto News.