Threat actors behind the Styx Stealer and Agent Tesla malware operations have been uncovered following the decryption of exposed Telegram Bot API tokens, which have been leveraged by both hackers for data exfiltration in place of their proprietary infrastructure, according to SC Media.
Check Point researchers reported that such decryption enabled access to information from the Agent Tesla-linked bot "joemmBot," which then led to the discovery of conversations between Styx Stealer malware operator "Sty1x" and "Mack_Sant," who had recommended bot API usage for data theft activities. Additional analysis also revealed various information from Sty1x, including user data, phone numbers, and login records, shedding light on the Turkey-based operations of "styxencode" and the number of threat actors leveraging Styx Stealer.
Also unveiled by the conversations were various cyberattacks conducted by the Nigeria-based Mack_Sant, who also went by the name "Fucos," which was previously reported to be the operator of Agent Tesla.