New Scylex Banking Trojan Kit Surfaces on the Dark Web

Share this…

Scylex – “the next big thing” in terms of banking trojan. Threat-intel experts from Heimdal Security and the CSIS Security Group have uncovered a new banking trojan called Scylex, currently advertised on Dark Web hacking forums, but not yet seen in real-world attacks.

According to the crooks’ advertisement – embedded in full at the end of this article – the group is marketing their product as a totally new, 99 percent original banking trojan.

In the past years, most banking trojans that appeared have used the source code leaked from the Zeus project, and filled the market with unoriginal and almost identical clones.


Scylex price starts from $7,500

The criminal group is leveraging this Zeus market fatigue to push a new product, which has a better chance at evading antivirus detection than any of the Zeus clones.

The group is selling their new cyber-crime kit for a basic price of $7,500. This includes a rootkit, modules to steal data from Web forms, the ability to inject new content into a Web page, an SOCKS5 reverse proxy, the ability to work via slow Internet connections, and the ability to work without administrator privileges on the infected machine.

If the buyer chooses to pay $2,000 more, then he’ll receive full SOCKS5 support, allowing him to exfiltrate data to his own server via an SOCKS5 proxy.

There is also a separate Premium package that for $10,000 offers support for HNVC (Hidden Virtual Network Computing), a complex feature that allows the crook to create virtual desktops, where they can carry out all sorts of malicious operations.

New, deadly features are in the works

Furthermore, the group is hinting at upcoming features that include support for the Edge and Opera browsers, a powerful “Spreader” module to help with the trojan’s distribution, support for reverse FTP, and an ATS engine to carry out transactions inside hijacked banking accounts.

The Scylex crew is also working on a DDoS and click-bot module, just in case the people using the trojan might need this functionality as well, to diversify their profits.

As criminal groups purchase this new threat and start distributing it, we’ll likely hear more details about its mode of operation in the near future. Below is the full Scylex ad.