Venom Stealer infostealer kit introduces continuous credential harvesting via malware-as-a-service model
Summary
Hide ▲
Show ▼
A newly identified infostealer malware kit named Venom Stealer is offered as a malware-as-a-service (MaaS) subscription priced at $250 per month or $1,800 lifetime, enabling continuous credential harvesting and wallet cracking operations. The kit targets Windows systems via deceptive social engineering lures hosted on custom Cloudflare DNS domains, bypassing browser encryption for Chrome v10/v20 passwords without triggering User Account Control (UAC) prompts. Upon execution, it extracts and exfiltrates browser credentials, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from Chromium and Firefox browsers. Venom Stealer distinguishes itself by maintaining silent persistence through a background session listener that reports new credentials and wallet activity to command-and-control infrastructure twice daily, undermining password rotation and incident response efforts.
Timeline
-
31.03.2026 17:51 1 articles · 2h ago
Venom Stealer introduces continuous credential harvesting with background session listener in March 2026
The Venom Stealer infostealer kit was updated in March 2026 to include a silent background session listener that reports new credentials and cryptocurrency wallet activity to command-and-control infrastructure twice daily. This update transforms the infostealer from a traditional steal-and-depart tool into a persistent surveillance and data harvesting platform, undermining password rotation policies and incident response timelines.
Show sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
Information Snippets
-
Venom Stealer is distributed as a malware-as-a-service (MaaS) subscription priced at $250 per month or $1,800 for lifetime access, with updates provided under license.
First reported: 31.03.2026 17:511 source, 1 articleShow sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
-
The infostealer bypasses Chrome v10 and v20 password encryption by extracting decryption keys via silent privilege escalation without triggering UAC prompts or leaving forensic artifacts.
First reported: 31.03.2026 17:511 source, 1 articleShow sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
-
Venom Stealer targets Chromium and Firefox browsers, extracting saved passwords, session cookies, browsing history, autofill data, and cryptocurrency wallet vaults from all browser profiles.
First reported: 31.03.2026 17:511 source, 1 articleShow sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
-
A continuous background session listener was added in March 2026, reporting new credentials and cryptocurrency wallet activity to command-and-control infrastructure twice daily to bypass password rotation and incident response measures.
First reported: 31.03.2026 17:511 source, 1 articleShow sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51
-
The infostealer includes automated cracking support for cryptocurrency wallets including MetaMask, Phantom, Solflare, Trust Wallet, Atomic, Exodus, Electrum, Bitcoin Core, Monero, and Tonkeeper, with exfiltrated funds automatically swept across nine chains including ERC-20/SPL tokens and DeFi positions.
First reported: 31.03.2026 17:511 source, 1 articleShow sources
- Venom Stealer Raises Stakes With Continuous Credential Harvesting — www.securityweek.com — 31.03.2026 17:51