Posts Tagged: styx-crypt

Jun 14

Ne’er-Do-Well News, Volume I

It’s been a while since a new category debuted on this blog, and it occurred to me that I didn’t have a catch-all designation for random ne’er-do-well news. Alas, the inaugural entry for Ne’er-Do-Well News looks at three recent unrelated developments: The availability of remote access iPhone apps written by a programmer perhaps best known for developing crimeware; the return to prison of a young hacker who earned notoriety after simultaneously hacking Paris Hilton’s cell phone and data broker LexisNexis; and the release of Pavel Vrublevsky from a Russian prison more than a year before his sentence was to expire.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

A year ago, this blog featured a series of articles that sought to track down the developers of the Styx-Crypt exploit kit, a crimeware package being sold to help bad guys booby-trap compromised Web sites with malware. Earlier this week, I learned that a leading developer of Styx-Crypt — a Ukrainian man named Max Gavryuk — also is selling his own line of remote administration tools curiously called “Zeus Terminal,” available via the Apple iTunes store.

News of the app family came via a Twitter follower who  asked to remain anonymous, but who said two of the apps by this author were recently pulled from Apple’s iTunes store, including Zeus Terminal and Zeus Terminal Lite. It’s unclear why the apps were yanked or by whom, but the developer appears to have two other remote access apps for sale on iTunes, including ZeusTerm and ZeusTerm HD.

Incidentally, the support page listed for these apps — zeus-terminal[dot]com — no longer appears to be active (if, indeed it ever was), but the developer lists as his other home page reality7solutions[dot]com, which as this blog has reported was intricately tied to the Styx-Crypt development team.

This wouldn’t be the first time a crimeware author segued into building apps for the iPhone and iPad: In January 2012, as part of my Pharma Wars series, I wrote about clues that strongly suggested the Srizbi/Reactor spam botnet was developed and sold by a guy who left the spam business to build OOO Gameprom, a company that has developed dozens of games available in the iTunes store.

Continue reading →

Jul 13

Who’s Behind The Styx-Crypt Exploit Pack?

Earlier this week I wrote about the Styx Pack, an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, I’ll be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.

styxlogoAs I noted in Monday’s story, what’s remarkable about Styx is that while most exploit kits are sold on private and semi-private underground forums, Styx has been marketed and sold via a regular Web site: styx-crypt[dot]com. The peddlers of this service took down their site just hours after my story ran, but versions of the site cached by hold some important clues about who’s responsible for selling this product.

At the bottom of the archived styx-crypt homepage, we can see two clickable banners for an account at virtual currency Webmoney to which potential customers of Styx will need to send money in order to purchase a license for the software. The Webmoney account #268711559579 belongs to a Webmoney Purse number Z268711559579. Follow that link and you’ll see that the registered username attached to that purse is “Ikar.” If we look closer we can see that Ikar’s Webmoney purse is connected to another purse at Webmoney account 317426476957, which is this purse belonging to a user named “Nazar.” (Update: July 11, 10:14 p.m.: Both Ikar and Nazar changed the names on their Webmoney accounts after this story ran. Thankfully, cached the old data. The links to the purses above have been changed accordingly.)

Both Ikar and Nazar are nicknames that were used in Styx sales threads on several underground forums, including damagelab[dot]org, secnull[dot]cc and antichat[dot]ru. In these threads, Ikar used the contact address ““, while Nazar listed ““. Both addresses are associated with forum accounts named “Ikar” and “Renzor” (for examples, see this cached, Google-Translated page from Renzor’s account on, and this cached page from secnull[dot]cc). Nazar’s address is linked to a “Max Lighter” profile on Facebook, but not much more information is available on that profile. doesn’t appear to be connected to anything special, but Nazar’s address was used as the point-of-contact in registering two very interesting domains: and Looking at the familiar wormhole-like squiggly at the top of, I noticed it was very similar to the rotating icon ( video) used by the Styx pack.’s homepage lists an address in the United States for a company called EPAM Systems, which according to the business directory maintained by Hoovers  is a public company that specializes in IT outsourcing. Hoovers says the company provides “software development and other IT services to US and European customers primarily from development centers in Russia, Belarus, Hungary, Ukraine, Kazakhstan and Poland.”

The ICQ number listed on the homepage of belongs to a Website design professional from Khmelnitsky, Ukraine named Stanislav Shangin. If we look at Schangin’s personal page where he lists all of the Web sites he’s been hired to create, we can see he designed both styx-crypt[dot]com and, among dozens of other sites. Shangin did not respond to requests for comment.

Continue reading →